Summary:
Check Point Research has uncovered a new malware distribution technique exploiting the Godot Engine, allowing cybercriminals to execute malicious GDScript code undetected by most antivirus solutions. This technique has led to the infection of over 17,000 machines since June 2024, primarily through the GodLoader malware distributed via the Stargazers Ghost Network. The method’s cross-platform capabilities pose significant risks to users across various operating systems.
#GodotEngine #MalwareDistribution #CyberThreats
Check Point Research has uncovered a new malware distribution technique exploiting the Godot Engine, allowing cybercriminals to execute malicious GDScript code undetected by most antivirus solutions. This technique has led to the infection of over 17,000 machines since June 2024, primarily through the GodLoader malware distributed via the Stargazers Ghost Network. The method’s cross-platform capabilities pose significant risks to users across various operating systems.
#GodotEngine #MalwareDistribution #CyberThreats
Keypoints:
Check Point Research identified a new malware technique using the Godot Engine to execute malicious GDScript.
The malware, named GodLoader, has infected over 17,000 machines since June 29, 2024.
GodLoader is distributed via the Stargazers Ghost Network, utilizing GitHub repositories to appear legitimate.
The technique targets multiple platforms, including Windows, macOS, Linux, Android, and iOS.
Potential attacks could affect over 1.2 million users of Godot-developed games.
Malicious GDScript can evade detection and execute payloads across various operating systems.
Check Point Research demonstrated the technique’s effectiveness on Linux and macOS platforms.
MITRE Techniques:
Execution (T1203): Exploits vulnerabilities in the Godot Engine to execute malicious GDScript code.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Persistence (T1547): Installs GodLoader to ensure continued access to infected systems.
Defense Evasion (T1562): Employs anti-sandbox techniques to avoid detection by security solutions.
Credential Access (T1003): Potentially steals user credentials during infection.
Impact (T1499): Deploys malware to disrupt or control infected systems.
IoC:
[File Name] Launcherkks.exe
[File Name] Launcherkks.pck
[File Hash] 260f06f0c6c1544afcdd9a380a114489ebdd041b846b68703158e207b7c983d6
[File Hash] 3317b8e19e19218e5a7c77a47a76f36e37319f383b314b30179b837e46c87c45
[File Hash] 0d03c7c6335e06c45dd810fba6c52cdb9eafe02111da897696b83811bff0be92
[File Hash] 604fa32b76dbe266da3979b7a49e3100301da56f0b58c13041ab5febe55354d2
[File Hash] b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa
[IP Address] 147.45.44.83
[IP Address] 185.196.9.26
Full Research: https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/