CyberSecurity updates
2024-12-26 04:10:32 Pacfic

Godot Game Engine Exploited for Malware Delivery - 28d
Read more: research.checkpoint.com

Cybersecurity researchers at Check Point have uncovered a novel malware delivery method exploiting the popular Godot game engine. The GodLoader malware uses malicious GDScript code embedded within .pck files—files that package game assets—to execute commands and deliver further malware payloads. This technique has proven highly effective at evading detection by most antivirus engines, resulting in over 17,000 infections across Windows, macOS, Linux, Android, and iOS since June 2024. The wide platform compatibility of Godot and the ability to hide malicious code within seemingly legitimate game assets makes this a particularly dangerous development.

The attackers utilize a network of compromised GitHub accounts, dubbed the "Stargazers Ghost Network," to distribute the malicious .pck files. These accounts use tactics to make the repositories distributing GodLoader seem legitimate, increasing the likelihood that unsuspecting users will download and run the infected files. The sheer scale of the operation, with approximately 200 repositories and over 225 ghost accounts, highlights the sophistication and resources dedicated to this malware campaign. The researchers have demonstrated how this technique can successfully deploy payloads on Linux and MacOS systems, expanding the potential reach of the attack to millions of users.

This GodLoader campaign underscores the increasing creativity of cybercriminals in weaponizing seemingly benign software and leveraging open-source platforms to distribute malware. The use of Godot’s GDScript to execute malicious commands, coupled with the deceptive distribution network on GitHub, showcases a new and concerning trend in malware delivery. This highlights the urgent need for developers and users to exercise caution when downloading and running scripts from untrusted sources, particularly those involving popular game development platforms and open-source repositories. The near-universal failure of antivirus engines to detect this threat reinforces the importance of multi-layered security measures and proactive threat intelligence.