Source: www.csoonline.com – Author:
The malware loader, GodLoader, uses crafted Godot GDScript to run malicious codes and load known malware.
A malware loader, now named GodLoader, has been observed to be using Godot, a free and open-source game engine, as its runtime to execute malicious codes and has dropped known malware on at least 17,000 machines.
Unaware users of the engine — which helps create 2D and 3D games and deploy them across various platforms including Windows, macOS, Linux, Android, iOS, and web browsers — are tricked into downloading the loader posing as legitimate cracks for the paid software.
“Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware,” said the researchers credited with the discovery in a blog. “The technique remains undetected by almost all antivirus engines in VirusTotal.”
Godot’s Security team has also warned users of the attack through a statement.
What is the hack?
The attack is particularly possible because manipulated GDScript, the primary scripting language used in the Godot engine, could be picked up by users from unverified sources in the form of free software. Maliciously crafted GDScript can allow for triggering nefarious commands and deliver malware.
The GodLoader payloads, hosted on Bitbucket.org, were distributed in four attack waves, with each campaign involving malicious archives downloaded thousands of times, according to researchers. Initial payloads included RedLine Stealer and XMRig cryptocurrency miners, while attackers continually refined their tactics for better evasion.
Godot’s security team clarified that the engine doesn’t register file handlers for .pck files, requiring attackers to bundle the Godot runtime (.exe) with the .pck file, making “one-click exploits” impossible without OS-level vulnerabilities.
“The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service,” the researchers said. “Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware.”
The technique is equipped with the ability to infect devices across multiple platforms, such as Windows, macOS, Linux, Android, and iOS. In the blog, the researchers demonstrated proof-of-concept (PoC) of Linux and macOS infections.
Threat actors using GodLoader to deliver malware were traced back to late June 2024, having infected over 17,000 machines until the reporting of the campaign.
Was the Godot engine singled out for delivery?
The report by the CheckPoint researchers clarified that Godot isn’t particularly prone to the technique.
“As the report states, the vulnerability is not specific to Godot,” Godot’s security team added. “The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language.”
The team emphasized that they “do not believe that Godot is particularly more or less suited to do so than other such programs.”
We encourage people to only execute software from trusted sources — whether it’s written using Godot or any other programming system, the team recommended.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Original Post url: https://www.csoonline.com/article/3614967/popular-game-script-spoofed-to-infect-thousands-of-game-developers.html
Category & Tags: Malware, Security – Malware, Security
Views: 2