Cybercriminals used a gaming engine to create undetectable malware loader
Threat actors are using an ingenious new way for covertly delivering malware to a wide variety of operating systems and platforms: they have created a malware loader that uses Godot Engine, an open-source game engine.
The loader – dubbed GodLoader – is distributed through the Stargazers Ghost Network, an extensive network of GitHub accounts and repositories that provides malware distribution “as-a-Service”.
According to Check Point researchers, over 17,000 machines have been infected with the malicious loader so far. And when those machine belong to developers, there’s additional risks.
“With developers often accessing and utilizing open-source platforms like Godot Engine for game development, the possibility of unwittingly incorporating malicious code into their projects becomes a credible concern. The risk is also heightened for gamers as they download and install games that may have been crafted with compromised tools,” they pointed out.
“A potential attack can target over 1.2 million users of Godot-developed games. These scenarios involve taking advantage of legitimate Godot executables to load malicious scripts in the form of mods or other downloadable content.”
Crafting the malware loader with the Godot Engine
Godot Engine is a popular free and open source 2D and 3D game engine / development platform that can both run on many platforms and export projects to Windows, Linux, macOS, Android, iOS, various VR platforms, and more.
Among the programming languages it supports is GDScript, a custom scripting language for code development, which the threat actors used to craft malicious code.
“The exploitation of the Godot Engine hinges on its use of .pck files, which bundle game assets, including scripts and scenes, for distribution. When these files are loaded, the malicious GDScript can be executed through the built-in callback function,” Check Point researchers have said.
“This feature gives attackers many possibilities, from downloading additional malware to executing remote payloads—all while remaining undetected. Since GDScript is a fully functional language, threat actors have many functions like anti-sandbox, anti-virtual machine measures, and remote payload execution, enabling the malware to remain undetected.”
How the novel technique works (Source: Check Point Research)
The researchers discovered the threat actors dropping loaders on Windows machines, but have also created proof-of-concept loaders that work on macOS and Linux, to confirm that it can be done and the ease of doing it.
“An Android loader also seems possible but requires modifications to the Godot Engine. However, an iOS version is unlikely due to Apple’s strict App Store policies, which would make deployment challenging,” they noted.
GodLoader distribution
As noted before, the threat actor chose the Stargazers Ghost Network to distribute the malicious loaders, most likely because developers and gamers are used to trawling GitHub for packages and cheats.
This network of ghost accounts is used to distribute all kinds of malware, and is set up in a way to assure its long-term survival: different accounts have different roles – some serve malicious download links, others serve malware (in encrypted archives), others star and subscribe to repositories (to increase their visibility, popularity, and the appearance of legitimacy).
“For the distribution of GodLoader, approximately 200 repositories and more than 225 Stargazer Ghost accounts were used,” Check Point researchers shared.
The victims thought they were downloading cracked versions of paid software or key generators. Instead, they got GodLoader, which then either downloaded and installed the XMRig cryptocurrency miner or the RedLine infostealer (hosted on bitbucket.org).
Since at least June 29, 2024, the threat actors behind this scheme have been using GodLoader without it getting flagged by antivirus tools.
“Combining a highly targeted distribution method and a discreet, undetected technique has resulted in exceptionally high infection rates,” Check Point researchers said, and warned that the technique remains undetected by almost all antivirus engines in VirusTotal.