ESET researchers uncover a new supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia.
The new supply-chain attack compromises the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide.
Three different malware families were spotted being distributed from tailored malicious updates to selected victims with no sign of leveraging any financial gain, but rather, only cyber-espionage capabilities were seen.
ESETnamed the malicious operation NightScout.
Am I compromised?
Who has affected: NoxPlayer users.
How to determine if I received a malicious update or not:
Check if any ongoing process has an active network connection with known active C&C servers, or see if any of the malware based on the file names provided in the report is installed in:
C:\Program Files\Internet Explorer\ieproxysocket64.dll
C:\Program Files\Internet Explorer\ieproxysocket.dll
a file named %LOCALAPPDATA%\Nox\update\UpdatePackageSilence.exe not digitally signed by BigNox.
How to stay safe:
In the case of intrusion – standard reinstall from clean media.
For non-compromised users: do not download any updates until BigNox notifies that it has mitigated the threat.
The first indicators of compromise in September 2020 and activity continued until researchers uncovered explicitly malicious activity on January 25th, 2021, at which point reported the incident to BigNox.
According to ESET telemetry, more than 100,000 of the users have Noxplayer installed on their machines. Among them, only 5 users received a malicious update, showing that Operation NightScout is a highly targeted operation. The victims are based in Taiwan, Hong Kong and Sri Lanka.
To understand the dynamics of this supply-chain attack, it’s important to know what vector was used to deliver malware to NoxPlayer users. This vector was NoxPlayer’s update mechanism.
If NoxPlayer detects a newer version of the software, it will prompt the user with a message box to offer the option to install it. This is done by querying the update server via the BigNox HTTP API (api.bignox.com) to retrieve specific update information.
The response to this query contains update-specific information such as the update binary URL, its size, MD5 hash and other additional related information.
Upon pressing the “Update now” button, the main NoxPlayer binary application Nox.exe will supply the update parameters received to another binary in its toolbox NoxPack.exe, which is in charge of downloading the update itself.
The progress bar in the message box will reflect the state of the download and when completed the update has been performed.
Supply-chain Compromise Indicators
The BigNox infrastructure (res06.bignox.com) was compromised to host malware, and also to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised.
Three different malicious update variants
Malicious Update variant 1
This variant is one of the preliminary updates pointing to compromised BigNox infrastructure. It is not extremely complex, but it has enough capabilities to monitor its victims.
Malicious Update variant 2
This malware variant was also spotted being downloaded from legitimate BigNox infrastructure. It contains several files comprising what is known as a trident bundle, in which a signed executable is used to load a malicious DLL, which will decrypt and load a shellcode, implementing a reflective loader for the final payload.
Malicious Update variant 3
This variant was only spotted in activity after initial malicious updates, downloaded from attacker-controlled infrastructure.
The supply-chain compromise involved in Operation NightScout is predominantly exciting due to the targeted vertical, as it is targeting online gamers.
Supply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and its complexity may impact the discovery and mitigation of these type of incidents, concludes the ESET researchers.