GodLoader Malware: Hackers Use Game Engine For Distribution
As per recent media reports, hackers are now using the Godot engine as a distribution medium for the GodLoader malware. As of now the malware is believed to have been active since June 2024 and has compromised over 17,000 devices. In this article, we’ll cover how the game engine was used for malware distribution and mitigation measures that can be deployed to ensure protection. Let’s begin!
GodLoader Malware: Initial Discovery
In the ever-evolving threat landscape, cybercriminals are constantly changing their attack mechanisms to avoid detection while carrying out their malicious initiatives. Check Point, an online security firm, has recently uncovered an undetected technique. Using this method, hackers leverage the Godot gaming engine to execute malicious GDScript code.
Before we dive into the details of the GodLoader malware, it’s essential to know that the Godot engine is a feature-rich open-source platform. The primary purpose of the platform is 2D and 3D game development and it’s known for being flexible, having a user-friendly interface, and comprehensive tools.
By using this engine, developers can export games to various platforms that include Windows, macOS, Linux, Android, iOS, HTML5, and more. In addition, the platform uses a scripting language, GDScript, that’s similar to Python and is explicitly designed for game development.
The Godot engine has a community of developers who value its open-source nature and powerful capabilities. Over 2,700 developers contributed to the Godot gaming engine. Reports have mentioned that the GoLoader malware hackers have been exploiting the engine since June 29th, 2024.
As a part of the exploits, the hacker executes GDScript code which is designed to trigger malicious commands and the delivery of malware. It’s worth noting that this technique has remained undetected by many AntiVirus tools on VirusTotal and over 17,000 devices are believed to have been compromised.
As far as the distribution is concerned, hackers use GodLoader via the Stargazers Ghost Network which acts as distribution as a service (DaaS). This ensures that the GodLoader malware is seen as legitimate and can be rolled out to victims through GitHub repositories. It’s also worth noting that around 200 repositories and more than 225 Stargazer Ghost accounts were used.
The accounts used for GodLoader malware distribution use malicious repositories and were released in four separate waves. The primary targets at the time were developers, gamers, and general users and the attack occurred on:
- 2024-09-12
- 2024-09-14
- 2024-09-29
- 2024-10-03
New Attack Technique Uncovered
An analysis conducted by Check Point reveals that the GodLoader malware uses “.pck” files for the Godot engine. These files are used to bundle games, assets, and resources. Common examples of such resources can include game data such as sounds, textures, and scenes.
Given that games are designed to load such files dynamically, this allows developers to distribute updates, downloadable content, and additional assets for the game without modifications being made to the core executable file. Commenting on these files, Check Point has stated that:
“These pack files might contain elements related to the games, images, audio files, and any other “static” files. In addition to these static files, .pck files can include scripts written in GDScript (.gd). These scripts can be executed when the .pck is loaded using the built-in callback function _ready(), allowing the game to add new functionality or modify existing behavior.”
Such a technique is feasible for distributing the GodLoader malware, given that the Godot engine provides an execution environment for the GDScript. This environment enables developers to create a game-play logic, control scenes, and interact with game objects. It’s worth noting that the GDScript also includes modern language features.
All of these aspects are crucial for the GodLoader malware hacker given that they are used for the execution of malicious code, downloading of malware, and its deployment while remaining undetected. The GodLoader malware hackers can also use the language for various functionalities ranging from Anti-Sandbox and Anti-VM to the execution of remote payloads.
In addition, the GDScript malicious code is crafted using such functionalities. Providing further insight into the attack technique, experts have pointed out that:
“While we have obtained Windows samples, this technique can also be used for cross-platform infections. The Godot Engine executable and the maliciously crafted GDScript are system-dependent when interacting with the operating system (OS). Pack files can be separate files with a .pck extension or embedded inside the binary of as a .pck section.
Either way, the process loads the file/section and decrypts the encrypted (recommended by Godot documentation), and the engine executes the GDScripts. Initial samples obtained contained the pack file embedded and decrypted, while subsequent samples started using external pack files and encryption.”
Cybersecurity Threats 2024: GodLoader’s Evolution
Ever since June 29, 2024 the GodLoader malware has gone from containing an embedded “.pck” file as a PE section to having it as a separate file that is now encrypted. It’s worth noting that the main functionality is concentrated inside the “.pck” segment of the Godot executable.
In addition, the file can be transported either separately or as sections inside the executable. The most notable aspects of the evolution of malicious code happen within the “.pck” file and the encryption protocol is done to ensure successful evasion. One notable aspect of the initial version dated back to June 29th is the intricate details that were not classified by the arthur.
An example of such details includes the warning dialog that requests the user for Admin Permission being displayed in Russian. On June 30th a new variant of the GodLoader malware was submitted to VirusTotal. In this variant, the Russian text from the dialog was removed and the payload was downloaded in a separate thread. Another Godot resource file variant was submitted on July 1st, and in it, the files were restructured as follows:
- Script code copied from file “scn” to file “gd.”
- Godot parameter “application/config/name” to NewLauncher.
On August 6th, 2024, another variant, including the following changes, was introduced:
- A free space check, used for sandbox analysis evasion technique was added to ensure that the application does not download any payload if the free space on all drives is below 360GB.
- A TLS certificate was added for configuring the Godot options name “network/tls/certificate_bundle_override.”
One of the more recent changes to GodLoader malware took place on August 22nd. During this change, the GodLoader malware hacker:
- Switched to a different Sandbox evasion technique where the script verified the names of available 3D video graphics adapters and operations were continued only if the following strings were found in the names: Nvidia, AMD, Radeon, rx.
- Updated the links to malicious payloads.
Another GodLoader malware update was seen on August 26th during which the hacker had created an additional folder under “C:/ProgramData.” The folder was named “Update” and was created for saving the downloaded payload. On September 4th, the final version of the malware was seen.
In this version, the threat actor had encrypted the resource file with the help of the stock Godot engine which allowed for the encryption of resource files with an AES cipher.
Potential Attack Sequence And Mitigation Protocols
Experts believe that the GodLoader malware hacker is using the new technique based on the utilization of the Godot Engines executable that they have built. The steps take to exploit a legitimate Godot Engine game include:
- Obtaining Godot game executable.
- Reversing and obtaining AES Key.
- Crafting a malicious “.pck” file and encrypting it.
- Tricking game users to replace their current file with the malicious one.
Those keen on ensuring protection must also know that malware hackers can attack using game mods or cheats. Given the popularity of games developed on Godot, more than 1.2 million users could potentially be at risk.
Commenting on mitigation protocols for threats such as the malware, experts have stated that:
“To mitigate the risks of threats like GodLoader, it is essential to keep operating systems and applications updated through timely patches and other means. Individuals should exercise caution when dealing with unexpected emails or messages containing links, particularly from unknown senders.
Enhancing cybersecurity awareness among employees is also crucial, as it helps create a more vigilant workforce. Lastly, consulting security specialists for any doubts or uncertainties can provide valuable expertise and guidance in navigating potential security challenges.”
Conclusion
The GodLoader malware shows just how creative hackers can get, turning even trusted tools like the Godot engine into weapons. Staying safe means keeping your systems updated, being cautious with unexpected links, staying informed, and using proactive security measures. By staying one step ahead, users can protect themselves from these evolving cyber threats.
The sources of the piece include articles in The Hacker News and Check Point.