Cybersecurity researchers today unveiled a new supply chain attack targeting online gamers by compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs.
Called “Operation NightScout” by Slovak cybersecurity company ESET, the highly targeted surveillance campaign involved the distribution of three different malware families through malicious updates tailored to selected victims based in Taiwan , Hong Kong, and Sri Lanka.
NoxPlayer, developed by BigNox of Hong Kong, is an Android emulator that allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and many instances. It is estimated to have over 150 million users in more than 150 countries.
The first signs of the ongoing attack are said to have originated around September 2020, from when the compromise continued until “specifically malicious activity” was revealed on January 25, prompting ESET to report the incident to BigNox.
“Based on the threatened software and the malicious software presented that displays surveillance capabilities, we believe this may indicate intent to gather information on gaming community-related targets,” said Ignacio Sanmillan, an ESET researcher.
To carry out the attack, NoxPlayer’s update mechanism served as the vector to deliver trojanized versions of the software to users who, when installed, introduced three different malicious payloads like Gh0st RAT to spy on its victims, capture seizures, and collecting sensitive information. .
Separately, investigators also found instances where additional malware binaries such as PoisonIvy RAT were downloaded by the BigNox updateer from remote servers controlled by the threat actor.
“It was only after the initial malicious updates that PoisonIvy RAT was spotted in activity and downloaded from attacker-managed infrastructure,” Sanmillan said.
First released in 2005, PoisonIvy RAT has been used in several high-profile malicious software campaigns, most notably in the 2011 compromise of RSA SecurID data.
Noting that the malicious software loaders used in the attack shared similarities with the compromise of Myanmar’s 2018 presidential office website and a university shutdown in Hong Kong last year, ESET said the activists behind the attack broke BigNox’s infrastructure to maintain the malicious software, with evidence pointing to the fact that its API infrastructure may have been compromised.
“To be on the safe side, in case of interference, perform a standard reset of clean media,” Sanmillan said. “For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat. [the] the best practice would be to uninstall the software. “