Pen testing
C2
Godzilla Loader is a Trojan that was first spotted in 2018 and acts as a downloader for other malware. Once installed it connects to a command-and-control (C2) server specified by the attacker and creates registry entries to maintain persistence. Then it deletes Volume Shadow Copies before downloading and installing the payload. Newer versions of Godzilla Loader have added modules for keylogging, credential theft, and network propagation.
Godzilla Loader has been spread through various channels, including spam campaigns. These campaigns typically involve malicious files compressed within ZIP archives that are sent via phishing emails. The emails may have attachments or links that when executed will initiate the malware’s installation process.
Evasion Techniques
Godzilla Loader uses several advanced evasion techniques to avoid detection. These include UAC bypass and obfuscation to hide its code. This makes it difficult for traditional security solutions to detect and analyze the malware.
Functional Capabilities
Besides being a downloader, newer versions of Godzilla Loader have additional functionalities. These include keylogging to capture user’s keystrokes to get sensitive information; credential theft to steal stored usernames and passwords; and network propagation to spread across connected systems.
There are no specific named variants of Godzilla Loader. However its modular architecture allows for various functionalities to be added over time.
Implement robust email filtering to detect and block phishing emails.
Educate employees about the risks of opening unsolicited attachments or clicking unknown links.
Use advanced endpoint protection to detect and prevent malware execution.
Regularly update and patch software to fix known vulnerabilities.
Godzilla Loader has been used in attacks against multiple sectors including healthcare, government and technology. Its versatility as a downloader makes it a useful tool for attackers targeting wide range of industries.
While Godzilla Loader has been linked to several cyber attacks, specific threat actors behind its deployment have not been identified. The malware is available on dark web forums which means multiple groups or individuals can be using it for their campaigns.
