Full Report
A new cyber-attack technique uses Godot Engine to deploy undetectable malware via GodLoader, infecting more than 17,000 devices
Analysis Summary
# Tool/Technique: GodLoader
## Overview
GodLoader is a malware loader distributed primarily through maliciously crafted Godot Engine project files (.pck files). It exploits the way these files are executed within the Godot runtime environment to achieve malware execution while bypassing standard antivirus detections. It was used to deploy secondary malware such as RedLine Stealer and XMRig cryptocurrency miners.
## Technical Details
- Type: Malware Loader
- Platform: Windows (initially, with potential for Linux and macOS)
- Capabilities: Executes malicious GDScript code embedded within Godot .pck files, evades detection via sandbox/VM checks and Defender exclusions, uses MasS distribution networks.
- First Seen: Reported starting June 2024
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment (Distribution via seemingly legitimate software/cracks)
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information (Via embedded GDScript in .pck)
* T1497 - Virtualization/Sandbox Evasion
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol (Implied by secondary malware C2)
## Functionality
### Core Capabilities
- Injects harmful GDScript code into valid Godot Engine `.pck` files.
- Bundles the malicious `.pck` file with the required Godot runtime executable (.exe) to facilitate execution.
- Downloads and executes secondary payloads (RedLine Stealer, XMRig).
### Advanced Features
- Employs evasion tactics including anti-sandbox and anti-virtual machine checks.
- Attempts to configure Microsoft Defender exclusions to maintain persistence or avoid immediate detection.
- Leveraged a Malware-as-a-Service (MaaS) platform (Stargazers Ghost Network) for distribution.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Malicious archives leading to files packaged with Godot runtime.
- Registry Keys: [Not provided in the text]
- Network Indicators: Payloads hosted on `Bitbucket.org` (defanged).
- Behavioral Indicators: Execution initiated by loading a `.pck` file via the Godot runtime, presence of RedLine Stealer or XMRig components post-infection.
## Associated Threat Actors
- Stargazers Ghost Network (Malware-as-a-Service platform) is associated with its distribution.
## Detection Methods
- Signature-based detection: Can target known hashes of secondary malware (RedLine, XMRig).
- Behavioral detection: Monitor for the execution flow involving the loading of `.pck` files by the Godot runtime in unexpected contexts.
- YARA rules: Could be developed targeting known GDScript structures used for initial loading or evasion checks within `.pck` files.
## Mitigation Strategies
- Prevention measures: Users should only execute software from trusted sources. Be wary of software/cracks downloaded from unfamiliar repositories.
- Hardening recommendations: Developers should consider robust encryption and asymmetric key methods to secure game assets, particularly if the potential risk evolves to infecting legitimate titles. Ensure systems are fully patched.
## Related Tools/Techniques
- RedLine Stealer (Initial payload)
- XMRig (Initial payload)
- Exploitation of legitimate software packaging mechanisms for malware delivery.