Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Check Point research. Show all posts
Windows
Check Point research CyberCrime Cyberhackers Cybersecurity Cyberthreats GodLoader Godot Game iOS Linux macOS malware Windows

Godot Game Engine Targeted in Widespread Malware Attack

 


A newly identified malware threat, GodLoader, is targeting gamers globally by exploiting the Godot game development engine, according to a report from Check Point Research. This sophisticated attack has already impacted more than 1.2 million users across various platforms. 

How GodLoader Works 

 
GodLoader infiltrates devices by leveraging Godot’s .pck files, which package game assets. These files can embed harmful scripts that execute malicious code upon launching a game, effectively bypassing traditional antivirus detection. The malware primarily targets: 

-Windows 
- macOS 
- Linux 
- Android 
- iOS 

Check Point Research reported that hackers have infected over 17,000 systems in just the past three months. By utilizing Godot’s GDScript (a Python-like scripting language), attackers distribute malware via more than 200 GitHub repositories, often masked as legitimate game assets. 

Exploitation of Open-Source Trust 


Eli Smadja, Security Research Group Manager at Check Point Software Technologies, highlighted the exploitation of open-source platforms:  

"Cybercriminals have turned the flexibility of the Godot Engine into a vulnerability, spreading cross-platform malware like GodLoader by capitalizing on the trust users place in open-source software." 

Infected computers are not only compromised but may also be converted into cryptocurrency mining rigs through XMRig, rendering them unusable for other tasks. 

Stargazers Ghost Network: Distribution-as-a-Service (DaaS) 


The attackers used the Stargazers Ghost Network to distribute GodLoader. This platform, active since 2022, employs over 3,000 ghost GitHub accounts to create networks of malicious repositories. These repositories: 

- Host info stealers like RedLine, Lumma Stealer, Rhadamanthys, and RisePro. 
- Manipulate GitHub’s trending section by starring, forking, and subscribing to their own repositories to appear legitimate. 

During a campaign between September and October 2024, Check Point discovered four separate attacks targeting developers and gamers. These attacks aimed to distribute infected tools and games, enticing users to download malware through seemingly credible GitHub repositories. 

Broader Implications and Future Risks 


The malware’s ability to target multiple platforms significantly enlarges the attack surface, posing a growing threat to the gaming community. Experts warn that attackers could embed malware into cheats, mods, or cracks for popular Godot-built games, increasing the vulnerability of millions of gamers. 

The Stargazers Ghost Network has already earned over $100,000 by distributing malware through its DaaS platform. With its continuous evolution, this network poses an ongoing threat to both developers and users of the Godot engine. 

Call to Action for Developers and Gamers 


Industry experts emphasize the urgent need for proactive cybersecurity measures to counter such threats. Recommendations include: 

- Avoid downloading game assets from unverified sources. 
- Regularly update antivirus and anti-malware software. 
- Implement robust security practices when developing or downloading games built with Godot. 

As the gaming ecosystem continues to expand, vigilance and collaboration between developers and security researchers will be critical in mitigating threats like GodLoader and ensuring a safer gaming environment.
Read more »
spear-phishing
Check Point research copyright scam cryptocurrency theft Cybersecurity Detection Infostealer malware phishing protection Rhadamanthys malware spear-phishing

Global Companies Targeted by "CopyR(ight)hadamantys" Phishing Scam Using Advanced Infostealer Malware

 

Hundreds of organizations worldwide have recently fallen victim to a sophisticated spear-phishing campaign, where emails falsely claiming copyright infringement are used to deliver an advanced infostealer malware.

Since July, Check Point Research has tracked the distribution of these emails across regions like the Americas, Europe, and Southeast Asia. Each email originates from a unique domain, and hundreds of Check Point’s clients have been targeted, suggesting the campaign's scope may be even broader.

The emails are designed to provoke recipients into downloading Rhadamanthys, a powerful infostealer capable of extracting sensitive data, such as cryptocurrency wallet information. Check Point researchers refer to the campaign as "CopyR(ight)hadamantys" and note the use of automated tools to send emails from different addresses. This automation can lead to awkward results, such as emails written in incorrect languages, limiting the emails’ ability to impersonate recognizable brands effectively. Roughly 70% of impersonated companies belong to the tech or media and entertainment sectors, including Check Point itself.

The phishing emails claim that the recipient has violated copyright laws by posting unauthorized content online. According to Sergey Shykevich, threat intelligence manager at Check Point, these accusations often cause recipients to question if they mistakenly used copyrighted material, increasing the chance they'll download the malware.

Recipients are directed to download a password-protected file, which contains a link leading to Dropbox or Discord. This file holds a decoy document, a legitimate program, and a malicious DLL (dynamic link library) that installs Rhadamanthys. Rhadamanthys stands out as one of the most sophisticated information-stealing tools sold on the dark web, priced around $1,000—significantly higher than other infostealers, which typically range from $100 to $200. Rhadamanthys is known for its modularity, obfuscation, and stealth, making detection much more challenging.

One notable feature of Rhadamanthys is its machine-learning-based OCR (optical character recognition) component. While limited in capability—it struggles with complex fonts and handwriting—this feature allows it to extract information from images and PDF files. The OCR module in the current campaign contains a dictionary of words tied to Bitcoin wallet security, suggesting a focus on cryptocurrency theft.

The CopyR(ight)hadamantys campaign aligns with financially motivated tactics, but Rhadamanthys has also been linked to state-sponsored actors, including Iran’s Void Manticore and the pro-Palestinian Handala group. Organizations are advised to enhance phishing defenses, though this campaign has an additional, unusual feature.

Once deployed, the malicious DLL creates a much larger file in the user’s Documents folder, disguised as a Firefox component. This larger version, though identical in function, uses an "overlay" of excess data, which serves two purposes: altering the file’s hash value, and potentially avoiding antivirus detection by exploiting a tendency of some programs to skip scanning large files.

According to Shykevich, organizations should monitor unusually large files downloaded via email, though legitimate files may also be large. He believes implementing effective download rules could help combat this tactic.
Read more »
Phishing Campaigns
Check Point research Cyber Attacks Foxit PDF Reader malware malicious PDF files malware malware delivery PDF Phishing Campaigns

How Attackers Distribute Malware to Foxit PDF Reader Users

 

Threat actors are exploiting a vulnerability in Foxit PDF Reader’s alert system to deliver malware through booby-trapped PDF documents, according to researchers at Check Point.

The researchers have identified several campaigns targeting Foxit Reader users with malicious PDF files. Attackers are utilizing various .NET and Python exploit builders, notably the “PDF Exploit Builder,” to create PDF documents containing macros that execute commands or scripts. These commands download and run malware such as Agent Tesla, Remcos RAT, Xworm, and NanoCore RAT.

"Regardless of the programming language, all builders exhibit a consistent structure. The PDF template used for the exploit includes placeholder text, which is meant to be replaced with the URL for downloading the malicious file once the user provides input," explained the researchers.

Additionally, threat actors are exploiting the fact that some of the pop-up alerts in Foxit Reader make the harmful option the default choice when opening these compromised files.

The first pop-up alert warns users that certain features are disabled to avoid potential security risks, giving them the option to trust the document one time only or always. The default and safer option is the former. However, once the user clicks OK, another alert appears.

Attackers are banking on users ignoring the alert text and quickly accepting the default options, thereby allowing Foxit Reader to execute the malicious command.

Foxit PDF Reader, used by over 700 million people globally, including in government and tech sectors, has been exploited by various threat actors ranging from e-crime to APT groups. These groups have been leveraging this exploit for years, often evading detection by most antivirus software and sandboxes that primarily focus on Adobe PDF Reader.

"The infection success and low detection rate have enabled PDFs to be distributed through unconventional means, such as Facebook, without being intercepted by detection rules," the researchers noted.

Check Point has reported the exploit to Foxit, and the company has announced plans to address it in version 2024 3.

"The proper approach would be to detect and disable such CMD executions. However, based on Foxit's response, they might simply change the default options to 'Do Not Open'," said Antonis Terefos, a reverse engineer at Check Point Research, to Help Net Security.

Efforts to reach Foxit for further comments have yet to receive a response.
Read more »
Subscribe to: Posts (Atom)