Cybersecurity researchers disclosed in February 2020, a new supply chain attack targeting online gamers by compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs. Named "Operation NightScout" by Slovak cybersecurity firm ESET, the highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates to selected victims based in Taiwan, Hong Kong, and Sri Lanka.
NoxPlayer, developed by Hong Kong-based BigNox, is an Android emulator that allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. It is estimated to have over 150 million users in more than 150 countries. First signs of the ongoing attack are said to have originated around September 2020, from when the compromise continued until "explicitly malicious activity" was uncovered on 25 January 2021, prompting ESET to report the incident to BigNox.
"Based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of intelligence collection on targets involved in the gaming community," said ESET researcher Ignacio Sanmillan. To carry out the attack, the NoxPlayer update mechanism served as the vector to deliver trojanized versions of the software to users that, upon installation, delivered three different malicious payloads such as Gh0st RAT to spy on its victims, capture keystrokes, and gather sensitive information.
Separately, researchers also found instances where additional malware binaries like POISONIVY RAT were downloaded by the BigNox updater from remote servers controlled by the threat actor. "POISONIVY RAT was only spotted in activity subsequent to the initial malicious updates and downloaded from attacker-controlled infrastructure," Sanmillan said.
POISONIVY, also known as POISON, is a popular Remote Administration Tool (RAT) backdoor available in the underground market. It has been in circulation for years. In more recent times, this family of backdoors have been seen in targeted attacks.
Similar to ZEUS and SPYEYE, POISONIVY has a toolkit/builder which can be purchased or downloaded from the underground forums selling such tools. The builder can be customized to cater to the needs of its buyers. Its variants can be configured to the any or all of the following:
- Capture screen, audio, and webcam
- List active ports
- Log keystrokes
- Manage open windows
- Manage passwords
- Manage registry, processes, services, devices, and installed applications
- Perform multiple simultaneous transfers
- Perform remote shell
- Relay server
- Search files
- Share servers
- Update, restart, terminates itself
Most POISONIVY malware are capable of copying itself into Alternate Data Stream, avoiding detection.
Cyber threat investigators will remember these older malware versions that were first released in 2005, POISONIVY RAT has been used in several high-profile malware campaigns, most notably in the 2011 compromise of RSA SecurID data. During the same year, it was used in the "Nitro" campaign that targeted government organizations, chemical manufacturers, human rights groups, and defense contractors. Noting that the malware loaders used in the attack shared similarities with that of a compromise of Myanmar presidential office website in 2018 and a breach of a Hong Kong university last year, ESET said the operators behind the attack breached BigNox's infrastructure to host the malware, with evidence alluding to the fact that its API infrastructure could have been compromised.
"To be on the safe side, in case of intrusion, perform a standard reinstall from clean media," Sanmillan said. "For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat. Furthermore, [the] best practice would be to uninstall the software."
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
Comments