Godzilla Loader is a Trojan that was first spotted in 2018 and acts as a downloader for other malware. Once installed it connects to a command-and-control (C2) server specified by the attacker and creates registry entries to maintain persistence. Then it deletes Volume Shadow Copies before downloading and installing the payload. Newer versions of Godzilla Loader have added modules for keylogging, credential theft, and network propagation.
Godzilla Loader has been spread through various channels, including spam campaigns. These campaigns typically involve malicious files compressed within ZIP archives that are sent via phishing emails. The emails may have attachments or links that when executed will initiate the malware’s installation process.
Evasion Techniques
Godzilla Loader uses several advanced evasion techniques to avoid detection. These include UAC bypass and obfuscation to hide its code. This makes it difficult for traditional security solutions to detect and analyze the malware.
Functional Capabilities
Besides being a downloader, newer versions of Godzilla Loader have additional functionalities. These include keylogging to capture user’s keystrokes to get sensitive information; credential theft to steal stored usernames and passwords; and network propagation to spread across connected systems.
Implement robust email filtering to detect and block phishing emails.
Educate employees about the risks of opening unsolicited attachments or clicking unknown links.
Use advanced endpoint protection to detect and prevent malware execution.
Regularly update and patch software to fix known vulnerabilities.