It is not currently clear why NightScout conducted an espionage operation targeting the gaming community. Interestingly, it appears that NightScout only infected five NoxPlayer users with a malicious update, based in Taiwan, Hong Kong, and Sri Lanka.Īlthough targeted cyberattacks are not unusual, they are more commonly used to target government officials or high-profile businessmen. NightScout also delivered a second-stage payload, the PoisonIvy RAT, but from their own infrastructure rather than using compromised NoxPlayer updates. The group uses Dynamic DNS (DDNS) domain names for C2 servers to hinder infrastructure tracking since it does not use a list of newly created domains. The first has not been documented before, while the second was a variant of the Ghost remote access trojan (RAT). This group has been active since 2014 and targets East Asia and the Middle East. NoxPlayer supply-chain attack The researchers believe that Gelsemium coordinated the supply-chain attack that compromised the NoxPlayer Android emulator for Windows and macOS between September. The attack was carried out last year and targeted gamers. The group uses Dynamic DNS (DDNS) domain names for C2 servers to hinder infrastructure tracking since it does not use a list of newly created domains. When unsuspecting NoxPlayer users downloaded an update, they were unknowingly downloading multiple malware strains with surveillance-related capabilities. Gelsemium, a stealthy cyberespionage group, has been linked to the NoxPlayer Android emulator supply-chain attack. Also, check out our roundup of the best malware removal tools.These are the best identity theft protection services on the market.We've built a list of the best Android antivirus apps around.However, ESET noted that the three strains of malware deployed through NoxPlayer malware had “similarities” with other varieties of malware used in a supply chain commitment on the Myanmar presidential office website in 2018 and early of 2020 in an intrusion on a Hong Kong university. It’s unclear whether the commitment to NoxPlayer is the work of a state-sponsored group or a financially motivated group that wants to engage game developers. The second is the case of VGCA, the official certification authority of the Vietnamese government.ĮSET investigators did not formally link this incident to a well-known hacking group. The first is the case of Able Desktop, software used by many Mongolian government agencies. This incident is also the third supply chain attack discovered by ESET in the last two months. To date, and based on its own telemetry, ESET said it detected malware-related NoxPlayer updates that were only delivered to five victims, located in Taiwan, Hong Kong and Sri Lanka.ĮSET today released a report with technical details for NoxPlayers to determine if they received a malware update and how to remove it.Ī BigNox spokesman did not return any requests for comment. specific, which suggested that it was a highly targeted attack that wanted to infect only a certain class of users. “Three different malware families were detected distributed from malware updates tailored to select victims, with no sign of reaping any economic benefit, but rather surveillance-related capabilities,” ESET said in a shared report today with ZDNet.ĭespite evidence implicating that attackers had access to BigNox servers since at least September 2020, ESET said the threatening actor did not target all of the company’s users, but focused on machines. Through this access, hackers modified the download URL of NoxPlayer updates to the API server in order to deliver malware to NoxPlayer users. or macOS.ĮSET says that, based on evidence gathered by its researchers, a threatening actor committed one of the company’s official APIs ( ) and file hosting servers ( ). The attack was discovered by Slovak security firm ESET on January 25 last week and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android applications on Windows desktop computers. A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and sent malware to a handful of victims across Asia in a highly targeted supply chain attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |