A popular open-source game engine called Godot Engine is being misused as part of a new GodLoader malware campaign, infecting over 17,000 systems since at least June 2024.
"Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware," Check Point said in a new analysis published Wednesday. "The technique remains undetected by almost all antivirus engines in VirusTotal."
It's no surprise that threat actors are constantly on the lookout for new tools and techniques that can help them deliver malware while sidestepping detection by security controls, even as defenders continue to erect new guardrails.
The newest addition is Godot Engine, a game development platform that allows users to design 2D and 3D games across platforms, including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web.
The multi-platform support also makes it an attractive implement in the hands of adversaries who can now leverage it to target and infect devices at scale, effectively broadening the attack surface.
"The Godot Engine's flexibility has made it a target for cybercriminals, enabling stealthy, cross-platform malware like GodLoader to spread rapidly by exploiting trust in open-source platforms," Eli Smadja, security research group manager at Check Point Software Technologies, said in a statement shared with The Hacker News.
"The Godot Engine's flexibility has made it a target for cybercriminals, enabling stealthy, cross-platform malware like GodLoader to spread rapidly by exploiting trust in open-source platforms. For the 1.2 million users of Godot-developed games, the implications are profound -- not just for their devices but for the integrity of the gaming ecosystem itself. This is a wake-up call for the industry to prioritize proactive, cross-platform cyber security measures to stay ahead of this alarming trend."
What makes the campaign stand out is that it leverages the Stargazers Ghost Network – in this case, a set of about 200 GitHub repositories and more than 225 bogus accounts – as a distribution vector for GodLoader.
"These accounts have been starring the malicious repositories that distribute GodLoader, making them appear legitimate and safe," Check Point said. "The repositories were released in four separate waves, primarily targeting developers, gamers, and general users."
The counterfeit GitHub network, attributed to a threat actor tracked as Stargazer Goblin, has emerged as an attractive conduit to distribute malware or malicious links via thousands of phishing repositories masquerading as social media tools and cracked software. It's believed that the links to these repositories are disseminated via Discord channels.
Check Point told The Hacker News that the exact size of the Stargazers Ghost Network is difficult to ascertain, but that there were around 500 repositories that were starred by 7,000 accounts as of October 2024.
"The overall number is difficult to estimate as the amount of accounts is constantly changing," security researcher Antonis Terefos said. "It increases when the network operator steals GitHub accounts or even creates new ones. But also decreases by the efforts of GitHub to interrupt malicious accounts spreading malware."
"For example, in October 2024, we observed 551 malicious repositories distributing malware, while those repositories received 113,000 stars in total by 7,000 accounts. During September and November, we observed similar numbers, though not all the accounts that performed malicious activities during September were active during October, and the same goes for the accounts of October through November."
The attacks, observed on September 12, September 14, September 29, and October 3, 2024, have been found to employ Godot Engine executables, also known as pack (or .PCK) files, to drop the loader malware, which is then responsible for downloading and executing final-stage payloads such as RedLine Stealer and the XMRig cryptocurrency miner from a Bitbucket repository.
In addition, the loader incorporates features to bypass analysis in sandboxed and virtual environments and add the entire C:\ drive to the Microsoft Defender Antivirus exclusions list to prevent the detection of malware.
The cybersecurity company said GodLoader artifacts are primarily geared towards targeting Windows machines, although it noted that it's trivial to adapt them to infect macOS and Linux systems.
What's more, while the current set of attacks involves the threat actors building custom Godot Engine executables for malware propagation, it could be taken a notch higher by tampering with a legitimate Godot-built game after obtaining the symmetric encryption key used to extract the .PCK file.
This sort of attack, however, can be averted by switching to an asymmetric-key algorithm (aka public-key cryptography) that relies on a public and private key pair to encrypt/decrypt data.
In response to the findings, the Godot Security Team said the Godot Engine is a programming system with a scripting language and is similar to Python and Ruby runtimes, urging users to ensure that the downloaded executables are signed by a trusted party and avoid running cracked software.
"It is possible to write malicious programs in any programming language," it pointed out in a statement. "We do not believe that Godot is particularly more or less suited to do so than other such programs."
The malicious campaign serves up another reminder of how threat actors frequently leverage legitimate services and brands to evade security mechanisms, necessitating that users download software only from trusted sources.
"Threat actors have utilized Godot's scripting capabilities to create custom loaders that remain undetected by many conventional security solutions," Check Point said. "Since Godot's architecture allows platform-agnostic payload delivery, attackers can easily deploy malicious code across Windows, Linux, and macOS, sometimes even exploring Android options."
"Combining a highly targeted distribution method and a discreet, undetected technique has resulted in exceptionally high infection rates. This cross-platform approach enhances malware versatility, giving threat actors a powerful tool that can easily target multiple operating systems. This method allows attackers to deliver malware more effectively across various devices, maximizing their reach and impact."
(The story was updated after publication on December 10, 2024, to include additional insights shared by Check Point on the Stargazers Ghost Network.)
