A new supply chain attack targeted online gamers by compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs; informed the Cybersecurity researchers.
The highly-targeted surveillance campaign, dubbed “Operation NightScout” by Slovak cybersecurity firm ESET that involved distributing three different malware families via tailored malicious updates to selected victims based in three countries, namely: Taiwan, Hong Kong, and Sri Lanka.
NoxPlayer, an Android emulator that allows gamers to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. Estimated, to have over 150 million users with over more than 150 countries. It is developed by Hong Kong-based BigNox.
The very first signs of the ongoing attack are to have originated by sometime in September 2020, from when the compromise continued until “explicitly malicious activity” was uncovered on January 25; Thus prompting ESET to report the incident to BigNox.
Ignasio Sanmilan, an ESET researcher said, “Based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of intelligence collection on targets involved in the gaming community,”
The NoxPlayer updated its mechanism and served as a vector to deliver trojanised versions of the software, to carry out the attack. After installation, it delivered three different malicious payloads such as Gh0st RAT to spy on its victims, capture keystrokes, and gather sensitive information.
“PoisonIvy RAT was only spotted in activity subsequent to the initial malicious updates and downloaded from attacker-controlled infrastructure,” Sanmillan said.
PoisonIvy RAT which was released in 2005 has been used in several high-profile malware campaigns, most notably in the 2011 compromise of RSA SecurID data.
There were no similarities between the malware loaders used in the attack between that of a compromise of Myanmar presidential office website in 2018 and a breach of a Hong Kong university in 2020. ESET stated that the operators behind the attack breached BigNox’s infrastructure to host the malware, with evidence alluding to the fact that its API infrastructure could have been compromised.
Finally, Sanmilan said, “To be on the safe side, in case of intrusion, perform a standard reinstall from clean media,” “For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat. Furthermore, [the] best practice would be to uninstall the software.”
