Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,000 systems in just three months.
As Check Point Research found while investigating the attacks, threat actors can use this malware loader to target gamers across all major platforms, including Windows, macOS, Linux, Android, and iOS.
It’s also used to leverage Godot’s flexibility and its GDScript scripting language capabilities to execute arbitrary code and bypass detection systems using the game engine .pck files, which package game assets, to embed harmful scripts.
Once loaded, the maliciously crafted files trigger malicious code on the victims’ devices, enabling attackers to steal credentials or download additional payloads, including the XMRig crypto miner. This miner malware’s configuration was hosted on a private Pastebin file uploaded in May, which was visited 206,913 times throughout the campaign.
“Since at least June 29, 2024, cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware. This technique has remained undetected by most antivirus tools on VirusTotal, possibly infecting more than 17,000 machines in just a few months,” according to Check Point.
“Godot has a vibrant and growing community of developers who value its open-source nature and powerful capabilities. Over 2,700 developers contributed to the Godot gaming engine,” while “on platforms like Discord, YouTube, and other social media platforms, the Godot engine has around 80,000 followers who stay updated on the latest news.”
The attackers delivered the GodLoader malware through the Stargazers Ghost Network, a malware Distribution-as-a-Service (DaaS) that masks its activities using seemingly legitimate GitHub repositories.
Between September and October 2024, they used over 200 repositories controlled by over 225 Stargazer Ghost accounts to deploy the malware to targets’ systems, exploiting potential victims’ trust in open-source platforms and seemingly legitimate software repositories.
Throughout the campaign, Check Point detected four separate attack waves against developers and gamers between September 12 and October 3, enticing them to download infected tools and games.
While the security researchers only discovered GodLoader samples targeting Windows systems, they also developed GDScript proof-of-concept exploit code showing how easily the malware can be adapted to attack Linux and macOS systems.
Stargazer Goblin, the threat actor behind the Stargazers Ghost Network DaaS platform used in these attacks, was first observed by Check Point promoting this malware distribution service on the dark web in June 2023. However, it has likely been active since at least August 2022, earning over $100,000 since this service was launched.
The Stargazers Ghost Network uses over 3,000 GitHub “ghost” accounts to create networks of hundreds of repositories that can be used to deliver malware (mainly information stealers like RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer) and star, fork, and subscribe to these malicious repos to push them to GitHub’s trending section and increase their apparent legitimacy.
Update November 27, 18:19 EST: Godot Engine maintainer and security team member Rémi Verschelde sent the following statement after publish time.
As the Check Point Research report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs.
Users who merely have a Godot game or editor installed on their system are not specifically at risk. We encourage people to only execute software from trusted sources.
For some more technical details:
Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime. There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.
This is similar to writing malicious software in Python or Ruby, the malicious actor will have to ship a python.exe or ruby.exe together with their malicious program.
Source: www.bleepingcomputer.com