Full Report
Key Points Introduction Cybercriminals constantly try to evolve their tactics and techniques, aiming to increase infections. Their need to stay undetected pushes them to innovate and discover new methods of delivering and executing malicious code, which can result in credentials theft and even ransomware encryption. Check Point Research discovered a new undetected technique that uses […] The post Gaming Engines: An Undetected Playground for Malware Loaders appeared first on Check Point Research.
Analysis Summary
# Tool/Technique: GodLoader using Godot Engine Exploitation
## Overview
GodLoader is a malware loader that leverages a novel technique to execute malicious GDScript code by exploiting the Godot Engine, a popular open-source game engine. Threat actors inject malicious scripts into game assets bundled within `.pck` files, which are then executed via the engine's legitimate functionality, achieving evasion from most antivirus engines.
## Technical Details
- Type: Malware Loader
- Platform: Cross-platform (Windows, macOS, Linux, Android, iOS targeted/demonstrated influence on Linux/MacOS)
- Capabilities: Executes crafted GDScript, downloads and deploys payloads, cross-platform infection potential, persistence via leveraging legitimate game execution environments.
- First Seen: At least June 29, 2024
## MITRE ATT&CK Mapping
No specific TIDs were provided in the text, but based on the description, the following tactics and techniques are highly relevant given its function as a loader executing arbitrary code:
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (By embedding code in GDScript within a legitimate game engine structure)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (specifically GDScript interpretation)
## Functionality
### Core Capabilities
- **Malicious Script Execution:** Executes crafted GDScript code embedded within game `.pck` files.
- **Payload Delivery:** Downloads and deploys secondary malware payloads (e.g., ransomware, credential stealers).
- **Evasion:** Remains undetected by most Antivirus engines on VirusTotal due to the novel execution method within a legitimate engine.
- **Distribution Leveraging Stargazers Ghost Network:** Utilized GitHub repositories associated with the "Stargazers Ghost Network" for Distribution as a Service (DaaS).
### Advanced Features
- **Multi-Platform Targeting:** Designed to infect devices across Windows, macOS, Linux, Android, and iOS via the inherent multi-platform support of Godot Engine.
- **Leveraging Legitimate Functionality:** Exploits the Godot Engine's mechanism for loading scripts (specifically using the `_ready()` callback function in `.pck` files) to execute malicious commands.
- **Anti-Analysis Capabilities:** GDScript's functionality allows for advanced evasion techniques like Anti-Sandbox and Anti-VM checks.
## Indicators of Compromise
- File Hashes: [Specific hashes not provided in the context]
- File Names: Malicious content is often disguised within game assets or downloaded content, likely exploiting the `.pck` file structure.
- Registry Keys: [Not specified in the context]
- Network Indicators: [Specific C2 or download domains were not explicitly listed and must be defanged]
- Behavioral Indicators: Execution of GDScript via Godot Engine executables when loading non-standard or recently modified `.pck` files or DLC.
## Associated Threat Actors
- Unspecified threat actor utilizing the Stargazers Ghost Network for DaaS.
## Detection Methods
- Signature-based detection: Almost all AV engines on VirusTotal failed to detect the initial loader.
- Behavioral detection: Monitoring for unusual or unexpected GDScript execution paths within legitimate Godot Engine executables, especially those triggered upon loading `.pck` files.
- YARA rules: [YARA rules were not provided in the context]
## Mitigation Strategies
- Monitoring downloaded game assets, especially `.pck` files or DLC containing GDScript, for known malicious patterns or dynamic loading.
- Restricting the execution environment for unknown or untrusted game executables.
- Vigilance regarding community-sourced games or mods, particularly those promoted through networks like the Stargazers Ghost Network.
## Related Tools/Techniques
- Exploiting open-source game engines for malware delivery.
- Distribution as a Service (DaaS) via compromised or malicious GitHub repositories.