Noxplayer Supply-Chain Attack Targets Governments, Religious Organizations, Electronics Manufacturers and Universities

Researchers from ESET in recent times linked a stealthy cyberespionage group, active since 2014 known as Gelsemium. It is believed that Gelsemium is responsible for the Supply-Chain attack against BigNox, previously reported as Operation NightScout.

The victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers, and universities.

Gelsemium Attack Flow

In Gelsemium’s workflow, in-depth configurations implanted at each stage, modify on-the-fly settings for the final payload, make it harder.

Gelsemium Attack Flow

Gelsemium’s first stage is the dropper, which contains multiple further stages’ binaries. Dropper sizes range from about 400 kB to 700 kB, which is larger if the eight embedded executables were not compressed.

This large executable is hidden in a complex however flexible mechanism that can drop different stages according to the characteristics of the victim computer, such as bitness (32-bit vs. 64-bit) or privilege (standard user vs. administrator).

The next component is a loader that retrieves Gelsevirine and executes it. There are two different versions of the loader – both of them are DLLs, they differ in the context where Gelsemine is executed.

Experts say that users with standard privileges compromised by Gelsemine drop Gelsenicine under a different directory that does not require administrator privileges. Gelsevirine capable of loading additional plug-ins provided by the command-and-control (C2) server.

Hence, Gelsemium’s first stage is a C++ dropper named “Gelsemine,” which deploys a loader “Gelsenicine” onto the target system, which, in turn, retrieves and executes the main malware “Gelsevirine” that’s capable of loading additional plug-ins provided by the command-and-control (C2) server.

The adversary is said to have been behind a supply chain attack aimed at BigNox’s NoxPlayer, in a campaign dubbed “Operation NightScout,” in which the software’s update mechanism was compromised to install backdoors such as Gh0st RAT and PoisonIvy RAT to spy on its victims, capture keystrokes, and gather valuable information.

ESET researchers Thomas Dupuy and Matthieu Faou noted, similarities observed between the trojanized versions of NoxPlayer and Gelsemium malware.

“Victims originally compromised by that supply chain attack were later being compromised by Gelsemine”, ESET Researchers.

Another backdoor called ‘Chrommme’, which was detected on an unnamed organization’s machine also compromised by the Gelsemium group, used the same C2 server as that of Gelsevirine, raising the possibility that the threat actor may be sharing the attack infrastructure across its malware toolset.

Finally, researchers concluded by saying that “The Gelsemium biome is very interesting: it shows few victims (according to our telemetry) with a vast number of adaptable components. The plug-in system shows that developers have deep C++ knowledge”.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.