• Godzilla Loader does not contain payloads, instead, downloading payloads from a remote server.
  • The malware downloader is still under development, with the malware author continually adding new features.

A new malware downloader called the Godzilla Loader has just emerged in the seedy underbelly of the cybercrime arena. The malware downloader is currently being advertised on the dark web, and costs around $500. The malware downloader is still under development, with the malware author continually adding new features.

Godzilla Loader does not contain any malicious payloads. Instead, it downloads payloads from a remote server. According to security researchers at Checkpoint, who discovered Godzilla Loader, the malware’s infection rate is fairly low.

“We’ve tried various methods of measuring the number of victims that get hit by Godzilla Loader each day, and all those methods agree that the answer is ‘not that many’. Even accounting for possible blind spots, the infection rate is almost certainly a tiny fraction compared to the numbers for Emotet,” Checkpoint security researchers wrote in a blog. “Godzilla is actively maintained, with new features being added periodically, and retails for $500, around a quarter of the asking price of its better-established competitor, Emotet.

Godzilla Loader features

The malware downloader comes with an built-in UAC bypass feature, which can allow attackers to specify any executable and run it on the infected system with administrative privileges. Godzilla Loader also comes packed with state-of-the-art detection-evading features that could help it stand out among its competitors on the dark web.

Yet another feature that stands out is the malware’s ability to automatically delete file backup shadow copies on a targeted system.

“ For most types of malicious campaigns, this feature won’t make a difference one way or the other; the only possible reason for it being there is to foil a very specific anti-Ransomware measure which operates by recovering the original files from the shadow file backups,” Checkpoint researchers added.

The malware loader employs RSA-2048 to spot the C2 server. The malware author also boasts of “double-layered fail-safe” for C2 communication. The malware also comes with a full-fledged plugin ecosystem that contains a keylogger, password-stealing and a propagation module.

“To most victims, malware is a force of nature. Zeus, Wannacry, Conficker are all vengeful gods, out to punish the common man for clicking the wrong link,” Checkpoint researchers said. “In this day and age, you can assemble a malicious campaign via a shopping list with a fraction of the technical knowledge that was once required previously.”

Cyware Publisher