A newly discovered malware, dubbed GodLoader, is raising alarms in the cybersecurity community for its ability to stealthily infect devices across multiple operating systems, including Windows, macOS, Linux, Android, and iOS.
Unveiled by Check Point Research, this advanced malware exploits the Godot Engine, a popular open-source game development platform, to execute malicious scripts while bypassing most antivirus detection systems.
GodLoader leverages the Godot Engine’s scripting language, GDScript, to deliver and execute malicious payloads. GDScript is a Python-like language designed for game development, enabling developers to create dynamic content. However, cybercriminals have weaponized their flexibility to craft scripts that trigger malicious commands.
The malware is distributed via the Stargazers Ghost Network, a sophisticated “Malware-as-a-Service” operation hosted on GitHub. Over 200 repositories and 225 accounts were used to distribute GodLoader between September and October 2024.
These repositories masqueraded as legitimate projects, gaining credibility through GitHub’s “starring” system to deceive users.
Once downloaded, GodLoader executes its payload by embedding or dynamically loading malicious .pck files (used by Godot to bundle game assets), Checkpoint researchers said.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
These files contain encrypted GDScripts that are decrypted and executed by the engine. The malware also employs advanced evasion techniques, such as anti-sandboxing and anti-virtual machine checks, to avoid detection.
GodLoader Cross-Platform Capabilities
One of GodLoader’s most concerning features is its cross-platform functionality. The Godot Engine allows developers to export projects to various platforms with minimal modifications. Threat actors have exploited this capability to target:
- Windows: Initial samples demonstrated payload delivery on Windows devices.
- macOS and Linux: Proof-of-concept attacks showed similar techniques could be applied with minor adjustments.
- Android: Although not yet fully developed, researchers believe an Android version is feasible.
- iOS: Deployment on iOS faces challenges due to Apple’s strict App Store policies but remains a potential risk.
This versatility makes GodLoader a powerful tool for attackers aiming to maximize their reach across diverse operating systems.
The Stargazers Ghost Network has played a crucial role in distributing GodLoader. Between June and October 2024, the network launched multiple campaigns using GitHub repositories to host malicious files. These repositories were updated regularly using automated bots to appear legitimate and attract unsuspecting users.
The malware’s infection chain begins with downloading a seemingly harmless archive containing executable files and .pck resources. Once executed, the malware decrypts the .pck file, runs malicious GDScripts, and downloads additional payloads from external servers. Notably, these payloads included cryptocurrency miners like XMRig and credential-stealing malware such as RedLine.
GodLoader poses a significant threat due to its ability to exploit legitimate software like the Godot Engine. With over 1.2 million users of Godot-developed games potentially at risk, attackers could target gamers by replacing legitimate .pck files with malicious ones or distributing infected game mods.
Moreover, the malware’s ability to remain undetected by most antivirus engines amplifies its danger. For example, Check Point researchers found that some infected archives had been downloaded over 17,000 times without triggering any security alerts.
Mitigation Strategies
To protect against threats like GodLoader:
- Regularly update operating systems and applications.
- Avoid downloading software from unverified sources.
- Use robust endpoint protection solutions capable of detecting advanced threats.
- Educate employees and users about phishing tactics and suspicious downloads.
- Developers using the Godot Engine should encrypt
.pckfiles with asymmetric encryption methods to prevent tampering.
GodLoader represents a new frontier in cross-platform malware development, exploiting trust in open-source tools like the Godot Engine. Its stealthy distribution methods and advanced evasion techniques highlight the growing sophistication of cyber threats.
As attackers continue innovating, vigilance and proactive security measures are essential to mitigate risks posed by such multi-platform malware.
Indicators of Compromise
| Description | Value |
|---|---|
| Archive distributed by Stargazers Ghost Network | 260f06f0c6c1544afcdd9a380a114489ebdd041b846b68703158e207b7c983d6 |
| Launcherkks.exe | 3317b8e19e19218e5a7c77a47a76f36e37319f383b314b30179b837e46c87c45 |
| Launcherkks.pck | 0d03c7c6335e06c45dd810fba6c52cdb9eafe02111da897696b83811bff0be92 |
| RedLine | 604fa32b76dbe266da3979b7a49e3100301da56f0b58c13041ab5febe55354d2 6be9c015c82645a448831d9dc8fcae4360228f76dff000953a76e3bf203d3ec8 |
| XMRig | b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa |
| RedLine C&Cs | 147.45.44.83:6483 185.196.9.26:6302 |
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The post New Stealthy GodLoader Malware Attacking Windows, macOS, Linux, Android, & iOS Devices appeared first on Cyber Security News.
