Posted on February 3, 2021 at 1:15 PM
NoxPlayer Android Emulator Compromised By Three Variants Of Malware
Cybersecurity researchers ESET have discovered a new supply chain attack that compromises a popular Android emulator within NoxPlayer’s update process.
There are over 150 thousand users of the NoxPlayer in a hundred countries. The tool is utilized primarily by video game users on mobile devices who are looking to bring the gaming experience to their PCs.
The researchers stated that the threat actors succeeded in injecting malware into a small number of users from Asia. ESET said it has discovered five infected systems from countries such as Sri Lanka, Hong Kong, Taiwan, and Syria.
But there is a high propensity that more victims could be compromised from the region.
The attack targeted BigNox, a firm that manufactures NoxPlayer, a software client used to emulate android apps on macOS or Windows desktops.
According to ESET, a hacker breached one of the firm’s file hosting servers and official API (api.bignox.com). After gaining access, the threat actors planted malware to NoxPlayer users by altering the download URL of NoxPlayer updates in the API server.
Attackers employed three different malware variants
ESET researchers, who called the hacking campaign “Operation NightScout”, reported that the threat actors used about three different variants of the malware. However, the researchers believe it could be a spy campaign since there aren’t any financial benefits for the hackers.
“Three different malware families were spotted being distributed from tailored malicious updates to selected victims,” ESET stated.
ESET also added some technical details about the hack to inform general emulator users and enable them to identify whether their system has been breached. The information provided can also help the users remove the emulators using their methods.
While the researchers didn’t say whether the campaign is connected to any existing hacking group, the report revealed some similarities with the malware variants that infiltrated the Myanmar government websites.
Supply chain attackers have upped their game in recent times. But the researchers revealed that the malware variant used in Operation NightScout is a bit different and unique. According to the report, the threat actors made use of an unusual vector used in the deployment of cyber espionage operations against digital platform users.
Once the target launches the application, they are shown a message which prompts the update to install the malicious application.
The victim is then deceived into updating the app, and while doing so, the malware is downloaded as well. Afterward, it becomes easy for the malware to infiltrate and compromise the systems. The malware is used alongside two remote access Trojans; namely Poinsonlvy for data exfiltration, and Ghost for keylogging.
Attack under investigation
There is evidence that shows the threat actors have been targeting the BigNox servers since last year. However, ESET revealed that the hackers targeted only specific machines of the company, and that majority of the servers are safe. This suggests that the attack was a highly-targeted one to infect only a few classes of users.
ESET said the targeted company BigNox initially denied it was attacked recently. “We have contacted BigNox about the intrusion, and they denied being affected,” ESET stated.
However, when the news broke out, the company stated that it is working with ESET to investigate the attack.
BitNox and ESET said they have seen operational similarities between the present attack and another group known as Stellera. They say the report about their correlation will be given soon.
Third supply chain attack discovered within two months
The latest hacking incident has become the third time ESET has discovered a supply chain attack with two months
The first attack was the Able Desktop software, which is utilized by Mongolian government agencies. Another was the Vietnamese VGCA.
The campaign has also been described as the SolarWinds attack, although no correlation between them has been made. It spreads during a software update. That means the malware delivered the malware variants when NoxPlayer customers tried updating their software.
ESET pointed out that it is currently helping NoXPlayer to carry out further investigation and determine how the servers were compromised and the best remedy to the situation.