November 28, 2024 at 05:06AM
A malware campaign exploiting the Godot Engine has infected over 17,000 systems since June 2024, using crafted GDScript code. The attack employs 200+ bogus GitHub accounts to distribute GodLoader, targeting Windows and adaptable to other OS. This underscores the need for users to download from trusted sources.
**Meeting Takeaways (Nov 28, 2024)**
**Topic:** Windows Security / Cryptomining
1. **GodLoader Malware Campaign:**
– The Godot Engine, an open-source game development platform, is being exploited in a malware campaign known as GodLoader, infecting over 17,000 systems since June 2024.
– Cybercriminals are executing crafted GDScript code to deploy malicious commands and deliver malware, eluding detection by most antivirus engines.
2. **Target and Methodology:**
– The campaign utilizes the Stargazers Ghost Network, comprising about 200 GitHub repositories and over 225 fake accounts, to distribute GodLoader.
– Malicious repositories were introduced in four waves, primarily targeting developers, gamers, and general users.
3. **Attack Details:**
– Significant attack dates: September 12, 14, 29, and October 3, 2024.
– Godot Engine executables (.PCK files) are used to drop loader malware, which then fetches final-stage payloads like RedLine Stealer and XMRig cryptocurrency miner.
4. **Evasion Tactics:**
– The loader includes mechanisms to evade detection in sandboxed environments and adds the entire C:\ drive to Microsoft Defender Antivirus exclusions.
– Current attacks primarily target Windows, but the malware can easily infect macOS and Linux.
5. **Potential for Enhanced Attacks:**
– Attackers could modify a legitimate Godot-built game to propagate malware after acquiring the symmetric encryption key.
– Switching to asymmetric-key algorithms may help prevent such attacks.
6. **Security Implications:**
– The situation underlines the importance of users acquiring software from trusted sources to avoid falling victim to such attacks.
– The versatility of the Godot Engine across multiple platforms allows for a broader attack surface, maximizing the impact of the threats.
7. **Final Remarks:**
– The campaign highlights how cybercriminals effectively leverage legitimate platforms to bypass security controls, necessitating ongoing vigilance and improved security practices.
**Next Steps:**
– Increase awareness and training on recognizing threats associated with open-source platforms.
– Recommend implementing protective measures against cross-platform malware threats.