{"id":1004,"date":"2024-11-29T11:08:30","date_gmt":"2024-11-29T11:08:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1004"},"modified":"2024-11-29T11:08:30","modified_gmt":"2024-11-29T11:08:30","slug":"popular-game-script-spoofed-to-infect-thousands-of-game-developers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1004","title":{"rendered":"Popular game script spoofed to infect thousands of game developers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A malware loader, now named GodLoader, has been observed to be using Godot, a free and open-source game engine, as its runtime to execute malicious codes and has dropped known malware on at least 17,000 machines.<\/p>\n

Unaware users of the engine \u2014 which helps create 2D and 3D games and deploy them across various platforms including Windows, macOS, Linux, Android, iOS, and web browsers \u2014 are tricked into downloading the loader posing as legitimate cracks for the paid software.<\/p>\n

\u201cCheck Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware<\/a>,\u201d said the researchers credited with the discovery in a blog<\/a>. \u201cThe technique remains undetected by almost all antivirus engines in VirusTotal.\u201d<\/p>\n

Godot\u2019s Security team has also warned users of the attack through a statement.<\/p>\n

What is the hack?<\/h2>\n

The attack is particularly possible because manipulated GDScript, the primary scripting language used in the Godot engine, could be picked up by users from unverified sources in the form of free software. Maliciously crafted GDScript can allow for triggering nefarious commands and deliver malware.<\/p>\n

The GodLoader payloads, hosted on Bitbucket.org, were distributed in four attack waves, with each campaign involving malicious archives downloaded thousands of times, according to researchers. Initial payloads included RedLine Stealer and XMRig cryptocurrency miners, while attackers continually refined their tactics for better evasion.<\/p>\n

Godot\u2019s security team clarified that the engine doesn\u2019t register file handlers for .pck files, requiring attackers to bundle the Godot runtime (.exe) with the .pck file, making \u201cone-click exploits\u201d impossible without OS-level vulnerabilities.<\/p>\n

\u201cThe malicious GodLoader is distributed by the Stargazers Ghost Network<\/a>, a GitHub network that distributes malware as a service,\u201d the researchers said. \u201cThroughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware.\u201d<\/p>\n

The technique is equipped with the ability to infect devices across multiple platforms, such as Windows, macOS, Linux, Android, and iOS. In the blog, the researchers demonstrated proof-of-concept (PoC) of Linux and macOS infections.<\/p>\n

Threat actors using GodLoader to deliver malware were traced back to late June 2024, having infected over 17,000 machines until the reporting of the campaign.<\/p>\n

Was the Godot engine singled out for delivery?<\/h2>\n

The report by the CheckPoint researchers clarified that Godot isn\u2019t particularly prone to the technique.<\/p>\n

\u201c<\/strong>As the report states, the vulnerability is not specific to Godot,\u201d Godot\u2019s security team added. \u201cThe Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language.\u201d<\/p>\n

The team emphasized that they \u201cdo not believe that Godot is particularly more or less suited to do so than other such programs.\u201d<\/p>\n

We encourage people to only execute software from trusted sources \u2014 whether it\u2019s written using Godot or any other programming system, the team recommended.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A malware loader, now named GodLoader, has been observed to be using Godot, a free and open-source game engine, as its runtime to execute malicious codes and has dropped known malware on at least 17,000 machines. Unaware users of the engine \u2014 which helps create 2D and 3D games and deploy them across various platforms […]<\/p>\n","protected":false},"author":0,"featured_media":1005,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1004","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1004"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1004"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1004\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1005"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}