A well-liked open-source sport engine referred to as Godot Engine is being misused as a part of a brand new GodLoader malware marketing campaign, infecting over 17,000 programs since at the least June 2024.
“Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware,” Test Level stated in a brand new evaluation revealed Wednesday. “The technique remains undetected by almost all antivirus engines in VirusTotal.”
It is no shock that menace actors are continuously looking out for brand new instruments and methods that may assist them ship malware whereas sidestepping detection by safety controls, at the same time as defenders proceed to erect new guardrails.
The most recent addition is Godot Engine, a sport improvement platform that permits customers to design 2D and 3D video games throughout platforms, together with Home windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Swap, and the online.
The multi-platform assist additionally makes it a pretty implement within the arms of adversaries who can now leverage it to focus on and infect units at scale, successfully broadening the assault floor.
“The Godot Engine’s flexibility has made it a target for cybercriminals, enabling stealthy, cross-platform malware like GodLoader to spread rapidly by exploiting trust in open-source platforms,” Eli Smadja, safety analysis group supervisor at Test Level Software program Applied sciences, stated in a press release shared with The Hacker Information.
“The Godot Engine’s flexibility has made it a target for cybercriminals, enabling stealthy, cross-platform malware like GodLoader to spread rapidly by exploiting trust in open-source platforms. For the 1.2 million users of Godot-developed games, the implications are profound — not just for their devices but for the integrity of the gaming ecosystem itself. This is a wake-up call for the industry to prioritize proactive, cross-platform cyber security measures to stay ahead of this alarming trend.”
What makes the marketing campaign stand out is that it leverages the Stargazers Ghost Community – on this case, a set of about 200 GitHub repositories and greater than 225 bogus accounts – as a distribution vector for GodLoader.
“These accounts have been starring the malicious repositories that distribute GodLoader, making them appear legitimate and safe,” Test Level stated. “The repositories were released in four separate waves, primarily targeting developers, gamers, and general users.”
The assaults, noticed on September 12, September 14, September 29, and October 3, 2024, have been discovered to make use of Godot Engine executables, also referred to as pack (or .PCK) recordsdata, to drop the loader malware, which is then liable for downloading and executing final-stage payloads reminiscent of RedLine Stealer and the XMRig cryptocurrency miner from a Bitbucket repository.
As well as, the loader incorporates options to bypass evaluation in sandboxed and digital environments and add all the C: drive to the Microsoft Defender Antivirus exclusions record to forestall the detection of malware.
The cybersecurity firm stated GodLoader artifacts are primarily geared in direction of focusing on Home windows machines, though it famous that it is trivial to adapt them to contaminate macOS and Linux programs.
What’s extra, whereas the present set of assaults includes the menace actors constructing customized Godot Engine executables for malware propagation, it may very well be taken a notch larger by tampering with a authentic Godot-built sport after acquiring the symmetric encryption key used to extract the .PCK file.
This type of assault, nevertheless, may be averted by switching to an asymmetric-key algorithm (aka public-key cryptography) that depends on a private and non-private key pair to encrypt/decrypt knowledge.
In response to the findings, the Godot Safety Crew stated the Godot Engine is a programming system with a scripting language and is much like Python and Ruby runtimes, urging customers to make sure that the downloaded executables are signed by a trusted occasion and keep away from operating cracked software program.
“It is possible to write malicious programs in any programming language,” it identified in a press release. “We do not believe that Godot is particularly more or less suited to do so than other such programs.”
The malicious marketing campaign serves up one other reminder of how menace actors often leverage authentic companies and types to evade safety mechanisms, necessitating that customers obtain software program solely from trusted sources.
“Threat actors have utilized Godot’s scripting capabilities to create custom loaders that remain undetected by many conventional security solutions,” Test Level stated. “Since Godot’s architecture allows platform-agnostic payload delivery, attackers can easily deploy malicious code across Windows, Linux, and macOS, sometimes even exploring Android options.”
“Combining a highly targeted distribution method and a discreet, undetected technique has resulted in exceptionally high infection rates. This cross-platform approach enhances malware versatility, giving threat actors a powerful tool that can easily target multiple operating systems. This method allows attackers to deliver malware more effectively across various devices, maximizing their reach and impact.”
