GodLoader malware, discovered by Check Point, stealthily infects Windows, macOS, Linux, Android, and iOS, using the Godot Engine to evade antivirus detection.
GodLoader Malware
GodLoader uses the Godot Engine’s scripting language, GDScript, to deliver and run malicious payloads. GDScript, similar to Python, is intended for game development but has been misused by cybercriminals to execute harmful commands.
The malware is spread through the Stargazers Ghost Network, a “Malware-as-a-Service” platform hosted on GitHub. Between September and October 2024, over 200 repositories and 225 accounts were used to distribute GodLoader.
The repositories pretended to be legitimate projects, using GitHub’s “starring” system to appear credible and trick users.
Once downloaded, GodLoader delivers its payload by embedding or loading malicious .pck files, which the Godot Engine uses to package game assets, according to Check Point researchers. These files contain encrypted GDScripts that the engine decrypts and runs. The malware also uses advanced evasion techniques, like anti-sandboxing and anti-virtual machine checks, to avoid detection.
GodLoader’s most alarming feature is its cross-platform functionality. The Godot Engine lets developers easily export projects to multiple platforms, which attackers have exploited to target:
- Windows: Initial samples delivered payloads on Windows devices.
- macOS and Linux: Proof-of-concept attacks showed similar methods work with minor tweaks.
- Android: Not fully developed yet, but researchers believe an Android version is possible.
- iOS: Deployment is challenging due to Apple’s strict App Store policies but still poses a potential risk.
GodLoader’s versatility enables attackers to target multiple operating systems effectively.
The Stargazers Ghost Network distributed GodLoader through GitHub between June and October 2024, running campaigns with repositories hosting malicious files. Automated bots updated these repositories to look legitimate and lure users.
GodLoader starts by delivering an archive with executable files and .pck resources. When executed, it decrypts the .pck file, runs malicious GDScripts, and downloads extra payloads like XMRig miners or RedLine credential stealers.
Exploiting the Godot Engine, GodLoader threatens over 1.2 million users of Godot-developed games. Attackers could swap legitimate .pck files with malicious ones or infect game mods.
Its stealth adds to the risk—some infected files were downloaded over 17,000 times without detection, according to Check Point researchers.
Mitigation Strategies
To safeguard against threats like GodLoader:
- Keep systems updated: Regularly update operating systems, browsers, and applications to patch known vulnerabilities.
- Download from trusted sources: Only download software from official or verified sources to reduce the risk of malicious files.
- Use advanced endpoint protection: Employ robust security solutions that detect and block sophisticated threats like GodLoader.
- Raise awareness: Train employees and users to recognize phishing attempts, fake websites, and suspicious downloads.
- Secure game assets: Developers using the Godot Engine should encrypt .pck files with asymmetric encryption to prevent unauthorized modifications.
Implementing these measures reduces the risk of infection and helps protect devices and users from emerging malware threats.
IOCs
Description | Value |
---|---|
Archive distributed by Stargazers Ghost Network | 260f06f0c6c1544afcdd9a380a114489ebdd041b846b68703158e207b7c983d6 |
Launcherkks.exe | 3317b8e19e19218e5a7c77a47a76f36e37319f383b314b30179b837e46c87c45 |
Launcherkks.pck | 0d03c7c6335e06c45dd810fba6c52cdb9eafe02111da897696b83811bff0be92 |
RedLine | 604fa32b76dbe266da3979b7a49e3100301da56f0b58c13041ab5febe55354d2 6be9c015c82645a448831d9dc8fcae4360228f76dff000953a76e3bf203d3ec8 |
XMRig | b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa |
RedLine C&Cs | 147.45.44.83:6483 185.196.9.26:6302 |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment