Ethical Hacking News
Cybercriminals have been exploiting a popular open-source game engine called Godot Engine as part of a new malware campaign that has left over 17,000 systems vulnerable since at least June 2024. The malicious actors have been using the engine's scripting capabilities to deliver malware undetected by conventional security solutions. In this article, we'll delve into the details of this emerging threat and provide guidance on how users can protect themselves from cross-platform malware.
Over 17,000 systems are vulnerable to a malware campaign exploiting Godot Engine since at least June 2024. The threat actors use Godot Engine's scripting capabilities to execute malicious code and deliver malware. The attackers leverage legitimate GitHub repositories and accounts to spread malware undetected by conventional security solutions. The loader malware bypasses analysis in sandboxed environments and prevents detection of malware by Microsoft Defender Antivirus. Users can protect themselves by switching to asymmetric-key algorithm and ensuring software is only downloaded from trusted sources.
Threat actors have recently resorted to exploiting a popular open-source game engine called Godot Engine as part of a new malware campaign that has left over 17,000 systems vulnerable since at least June 2024. According to Check Point, a renowned cybersecurity firm, the malicious actors have been taking advantage of Godot Engine's scripting capabilities to execute crafted GDScript code which triggers malicious commands and delivers malware.
This recent development serves as another reminder of how threat actors frequently leverage legitimate services and brands to evade security mechanisms, necessitating that users download software only from trusted sources. The use of Godot Engine in this context is particularly noteworthy due to its popularity among game developers and its multi-platform support, which allows users to design 2D and 3D games across various operating systems, including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web.
The malicious campaign leverages a distribution vector consisting of around 200 GitHub repositories and over 225 bogus accounts, making them appear legitimate and safe. This tactic has proven to be highly effective in spreading malware undetected by conventional security solutions. The attackers have employed Godot Engine executables, also known as pack (or .PCK) files, to drop the loader malware, which is then responsible for downloading and executing final-stage payloads such as RedLine Stealer and the XMRig cryptocurrency miner from a Bitbucket repository.
Furthermore, the loader incorporates features to bypass analysis in sandboxed and virtual environments and add the entire C:\ drive to the Microsoft Defender Antivirus exclusions list to prevent detection of malware. This level of sophistication makes it challenging for traditional security solutions to detect and remove the malicious code.
What's more concerning is that while the current set of attacks involves the threat actors building custom Godot Engine executables for malware propagation, it could be taken a notch higher by tampering with a legitimate Godot-built game after obtaining the symmetric encryption key used to extract the .PCK file. This would further complicate the task of identifying and mitigating the threat.
However, there are steps that users can take to protect themselves from this emerging threat. One effective way is to switch to an asymmetric-key algorithm (aka public-key cryptography) that relies on a public and private key pair to encrypt/decrypt data, making it more difficult for attackers to intercept and exploit sensitive information.
Another crucial step is to ensure that software is only downloaded from trusted sources, as malicious actors frequently use legitimate services and brands to evade security mechanisms. By taking these precautions, users can significantly reduce their risk of falling victim to this cross-platform malware campaign.
In conclusion, the recent exploitation of Godot Engine by cybercriminals highlights the ongoing cat-and-mouse game between threat actors and cybersecurity experts. While it is essential to acknowledge the sophistication and effectiveness of this new attack vector, it also underscores the importance of staying vigilant and taking proactive measures to protect oneself from emerging threats.
Related Information:
https://thehackernews.com/2024/11/cybercriminals-exploit-popular-game.html
Published: Thu Nov 28 05:31:54 2024 by llama3.2 3B Q4_K_M
