An emerging malicious software, known as GodLoader, has sparked concerns within the cybersecurity community due to its capability to covertly infiltrate devices running on various operating systems, such as Windows, macOS, Linux, Android, and iOS.
Unveiled by Check Point Research, this sophisticated malware takes advantage of the Godot Engine, a widely-used open-source platform for game development, to execute harmful scripts without being easily detected by most antivirus software.
GodLoader utilizes GDScript, the scripting language of the Godot Engine, to distribute and run malicious payloads. GDScript, a language similar to Python, is specifically designed for game development, allowing developers to generate dynamic content. Unfortunately, cybercriminals have exploited this flexibility to create scripts that trigger malicious actions.
The distribution of this malware occurs through the Stargazers Ghost Network, an advanced “Malware-as-a-Service” operation hosted on GitHub. During September and October 2024, more than 200 repositories and 225 accounts were utilized to disseminate GodLoader.
These repositories posed as legitimate projects, leveraging GitHub’s “starring” feature to deceive unsuspecting users.
After being downloaded, GodLoader executes its payload by either embedding or dynamically loading malicious .pck files (utilized by Godot for bundling game assets), as stated by Checkpoint researchers informed.
These files consist of encrypted GDScripts that are decrypted and executed by the engine. The malware also employs sophisticated evasion techniques, such as anti-sandboxing and anti-virtual machine checks, to evade detection.
GodLoader Cross-Platform Potentials
One of the most alarming aspects of GodLoader is its cross-platform adaptability. The Godot Engine enables developers to export projects to various platforms with minimal adjustments. Malicious actors have exploited this feature to target:
- Windows: Initial samples indicated successful payload delivery on Windows systems.
- macOS and Linux: POC attacks revealed that similar techniques could be adapted with minor modifications.
- Android: Although still in developmental stages, researchers assert that an Android edition is achievable.
- iOS: Implementing on iOS faces hurdles due to Apple’s strict App Store regulations but remains a plausible threat.
This versatility renders GodLoader a potent tool for malicious actors seeking to widen their impact across diverse operating systems.
The Stargazers Ghost Network played a pivotal role in disseminating GodLoader. Between June and October 2024, the network initiated multiple campaigns using GitHub repositories to host malicious data. These repositories were consistently updated via automated bots to seem legitimate and entice unaware users.
The malware’s infection process initiates with the download of an apparently harmless archive containing executable data and .pck resources. Upon execution, the malware decrypts the .pck file, executes malicious GDScripts, and downloads extra payloads from remote servers. Particularly, these payloads encompassed cryptocurrency miners such as XMRig and data-stealing malware like RedLine.
GodLoader poses a significant hazard owing to its capacity to exploit legitimate tools like the Godot Engine. With the potential risk to over 1.2 million users of games developed on Godot, attackers could target gamers by substituting genuine .pck files with infected ones or disseminating corrupted game modifications.
Additionally, the malware’s ability to go unnoticed by most antivirus software enhances its threat. For instance, Check Point researchers discovered that several infected archives had been downloaded more than 17,000 times without triggering any security warnings.
Remedial Tactics
To safeguard against threats like GodLoader:
- Consistently update operating systems and applications.
- Refrain from downloading software from untrusted sources.
- Deploy robust endpoint security solutions capable of identifying advanced threats.
- Educate employees and users about phishing techniques and suspicious downloads.
- Developers utilizing the Godot Engine should secure
.pckfiles with asymmetric encryption methods to deter tampering.
GodLoader symbolizes a fresh realm in cross-platform malware evolution, capitalizing on the trust in open-source tools like the Godot Engine. Its discreet distribution strategies and advanced evasion methods underscore the escalating sophistication of cyber threats.
As attackers persist in innovation, attentiveness and proactive security measures are vital to counteract the risks posed by such multi-platform malware.
Signs of Intrusion
| Description | Value |
|---|---|
| Archive distributed by Stargazers Ghost Network | 260f06f0c6c1544afcdd9a380a114489ebdd041b846b68703158e207b7c983d6 |
| Launcherkks.exe | 3317b8e19e19218e5a7c77a47a76f36e37319f383b314b30179b837e46c87c45 |
| Launcherkks.pck | 0d03c7c6335e06c45dd810fba6c52cdb9eafe02111da897696b83811bff0be92 |
| RedLine | 604fa32b76dbe266da3979b7a49e3100301da56f0b58c13041ab5febe55354d2 6be9c015c82645a448831d9dc8fcae4360228f76dff000953a76e3bf203d3ec8 |
| XMRig | b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa |
| RedLine C&Cs | 147.45.44.83:6483 185.196.9.26:6302 |
The post New Stealthy GodLoader Malware Attacking Windows, macOS, Linux, Android, & iOS Devices appeared first on Cyber Security News.