Hacker group inserted malware in NoxPlayer Android emulator

[tysroby]

A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack.

 

The attack was discovered by Slovak security firm ESET on January 25, last week, and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops. ESET says that based on evidence its researchers gathered, a threat actor compromised one of the company's official API (api.bignox.com) and file-hosting servers (res06.bignox.com). Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server in order to deliver malware to NoxPlayer users.

 

"Three different malware families were spotted being distributed from tailored malicious updates toselected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities," ESET said in a report shared today with ZDNet. Despite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn't target all of the company's users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users. Until today, and based on its own telemetry, ESET said it spotted malware-laced NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong Kong, and Sri Lanka.

 

ESET has released today a report with technical details for NoxPlayers to determine if they received a malware-laced update and how to remove the malware.

 

A BigNox spokesperson did not return a request for comment.

 

Full article: https://www.zdnet.com/article/hacker-group-inserted-malware-in-noxplayer-android-emulator/

 

 

[mood]

Android emulator supply-chain attack targets gamers with malware

 

 

ESET researchers have discovered that the updating mechanism of NoxPlayer, an Android emulator for Windows and macOS, made by Hong Kong-based company BigNox, was compromised by an unknown threat actor and used to infect gamers with malware.

 

NoxPlayer is used by gamers from over 150 countries around the globe according to BigNox but, as ESET found in January 2021, the supply-chain attack was focused on infecting only Asian gamers with at least three different malware strains.

 

To deliver the malicious payload on their targets' systems, the hacker group behind the operation dubbed NightScout compromised BigNox's res06.bignox.com storage infrastructure to store the malware and the api.bignox.com API infrastructure to deploy the payloads.

"We have sufficient evidence to state that BigNox’s infrastructure was compromised to host malware and also to suggest that their API infrastructure could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers," ESET researcher Ignacio Sanmillan said.

 

The malicious updates delivered through NoxPlayer's compromised update mechanism included an unknown malware with monitoring capabilities and the extensively used Gh0st remote access trojan (RAT).

 

Operation NightScout victims (ESET)

 

A third malware, the PoisonIvy RAT, was also discovered by ESET while investigating the supply-chain attack but this was delivered as a second-stage payload, from the attackers' own infrastructure not by deploying malicious NoxPlayer updates.

 

Despite the vast amount of victims that could've been infected between September 2020 when the supply-chain attack started and January 2021 when it was discovered, the NightScout threat actor instead chose to infect five targets from Taiwan, Hong Kong, and Sri Lanka, revealing this operation's highly-targeted nature.

 

While ESET uncovered other supply-chain attacks last year, such as Operation StealthyTrident targeting Able Desktop users, WIZVERA VeraPort banking and government targets, and Operation SignSight which led to the compromise of Vietnamese government signing software, Nightscout it's somewhat of a different beast.

 

This is because the Operation NightScout instead focused on gaming community targets, a somewhat peculiar and rarely seen way of collecting info in a highly targeted cyberespionage operation.

"To be on the safe side, in case of intrusion, perform a standard reinstall from clean media," Sanmillan added.

"For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat, furthermore, best practice would be to uninstall the software."

 

 

Source: Android emulator supply-chain attack targets gamers with malware

[aum]

 

Cybersecurity researchers today disclosed a new supply chain attack compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs.

 

Dubbed "Operation NightScout" by Slovak cybersecurity firm ESET, the highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates to selected victims based in Taiwan, Hong Kong, and Sri Lanka.

 

NoxPlayer, developed by Hong Kong-based BigNox, is an Android emulator that allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. It is estimated to have over 150 million users in more than 150 countries.

 

First signs of the ongoing attack are said to have originated around September 2020, from when the compromise continued until "explicitly malicious activity" was uncovered this week, prompting ESET to report the incident to BigNox.

 

"Based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of intelligence collection on targets involved in the gaming community," said ESET researcher Ignacio Sanmillan.

 

To carry out the attack, the NoxPlayer update mechanism served as the vector to deliver trojanized versions of the software to users that, upon installation, delivered three different malicious payloads such as Gh0st RAT to spy on its victims, capture keystrokes, and gather sensitive information.

 

Separately, researchers found cases where additional malware like PoisonIvy RAT was downloaded by the BigNox updater from remote servers controlled by the threat actor.

 

"PoisonIvy RAT was only spotted in activity subsequent to the initial malicious updates and downloaded from attacker-controlled infrastructure," Sanmillan said.

 

First released in 2005, PoisonIvy RAT has been used in several high-profile malware campaigns, most notably in the 2011 compromise of RSA SecurID data.

 

Noting that the malware loaders used in the attack shared similarities with that of a compromise of Myanmar presidential office website in 2018 and a breach of a Hong Kong university last year, ESET said the operators behind the attack breached BigNox's infrastructure to host the malware, with evidence alluding to the fact that its API infrastructure could have been compromised.

 

"To be on the safe side, in case of intrusion, perform a standard reinstall from clean media," Sanmillan said. "For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat.

 

Furthermore, [the] best practice would be to uninstall the software."

 

Source

 

[flash13]

@aum

 

Post Merged. Similar topic

[mood]

On 2/1/2021 at 2:14 PM, mood said:

Android emulator supply-chain attack targets gamers with malware

 

Source: Android emulator supply-chain attack targets gamers with malware

The company has improved user's security. Updated article:

Quote

Update February 02, 07:30 EST: Added a statement from BigNox.

Update February 04, 08:51 EST: BigNox told both BleepingComputer and ESET that the initial denial of NoxPlayer's infrastructure compromise was a misunderstanding.

The company has implemented the following measures to improve the users' security:

• use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
• implement file integrity verification using MD5 hashing and file signature checks
• adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information
• NoxPlayer will automatically check the app's files before installation.