Hackers Exploit Popular Godot Game Engine To Spread Malware

Security researchers at Check Point Research have discovered a new malware loader โ€œGodLoaderโ€ that exploits the game engine “Godot Engine.”

For those unaware, Godot Engine is a popular open-source game engine known for its versatility in 2D and 3D game development.

Its user-friendly interface and robust feature set allow developers to export games to various platforms, including Windows, macOS, Linux, Android, iOS, HTML5 (Web), and more.

Its Python-inspired scripting language, GDScript, alongside support for VisualScript and C#, makes it a favorite among developers across skill levels.

With an active and growing community of over 2,700 developers and around 80,000 social media followers, the platform’s popularity and dedicated support are undeniable.

However, the platform’s popularity has also made it a target for cybercriminals, who have leveraged its open-source nature to deliver malicious commands and malware while remaining undetected by almost all antivirus engines in VirusTotal.

In a report titled “Gaming Engines: An Undetected Playground for Malware Loaders,โ€ the researchers say theyย believe that the threat actor behind the GodLoader malware has been using it since June 29, 2024, and has infected more than 17,000 devices so far.

Notably, these payloads included cryptocurrency miners likeย XMRig, which was hosted on a private Pastebin file uploaded on May 10, 2024. The file containedย theย XMRigconfiguration related to the campaign, which was visited 206,913 times.

The malware is distributed via the Stargazers Ghost Network, which operates as a Distribution-as-Service (DaaS) model, enabling malicious malware’s โ€œlegitimateโ€ distribution through GitHub repositories.

Approximately 200 repositories and more than 225 Stargazer Ghost accounts were used to distribute GodLoader throughout September and October.

The attacks, targeting developers, gamers, and general users, were carried out in four waves via GitHub repositories on September 12, September 14, September 29, and October 3, 2024, tempting them to download infected tools and games.

โ€œGodot uses .pck (pack) files to bundle game assets and resources, such as scripts, scenes, textures, sounds, and other data. The game can load these files dynamically, allowing developers to distribute updates, downloadable content (DLC), or additional game assets without modifying the core game executable,โ€ Check Point researchers said in the report.

โ€œThese pack files might contain elements related to the games, images, audio files, and any other โ€œstaticโ€ files. In addition to these static files, .pck files can include scripts written in GDScript (.gd). These scripts can be executed when the .pck is loaded using the built-in callback function _ready(), allowing the game to add new functionality or modify existing behavior.

โ€œThis feature gives attackers many possibilities, from downloading additional malware to executing remote payloadsโ€”all while remaining undetected. Since GDScript is a fully functional language, threat actors have many functions like anti-sandbox, anti-virtual machine measures, and remote payload execution, enabling the malware to remain undetected.โ€

While the researchers only identified GodLoader samples specifically targeting Windows systems, they also developed a proof-of-concept exploit using GDScript, demonstrating how easily the malware could be adapted to target Linux and macOS systems.

To reduce the risks posed by threats like GodLoader, it is crucial to keep operating systems and applications updated with timely patches and exercise caution with unexpected emails or messages containing links from unknown sources.

In addition, fostering cybersecurity awareness among employees and consulting security specialists when in doubt can significantly improve protection against potential security challenges.

In response to Check Point Researchโ€™s report, Rรฉmi Verschelde, Godot Engine maintainer and security teamย member, sent the following statement to BleepingComputer:

As the Check Point Research report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs.

Users who merely have a Godot game or editor installed on their system are not specifically at risk.ย We encourage people to only execute software from trusted sources.

For some more technical details:

Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime. There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.

This is similar to writing malicious software in Python or Ruby, the malicious actor will have to ship a python.exe or ruby.exe together with their malicious program.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post