Researchers allege, attackers have compromised the update mechanism of NoxPlayer, which is software that allows gamers to run Android apps on their PCs or Macs. They then installed malware onto victims’ devices with surveillance-related capabilities.
NoxPlayer is developed by BigNox, which is a China-based company that claims that it has over 150 million users worldwide (notably, however, BigNox users are predominantly in Asian countries). When contacted by researchers, BigNox denied being affected by the attack. Threatpost has reached out to BigNox for further comment.
“We have contacted BigNox about the intrusion, and they denied being affected,” said Ignacio Sanmillan, malware researcher with ESET, on Monday. “We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation.”
On the heels of the alleged attack, which occurred January 2021, three different malware families have been deployed – reportedly from tailored, malicious updates – to a very select set of victims. Researchers said, out of more than the 100,000 users in their telemetry that have Noxplayer installed on their machines, only five users received a malicious update, showing the attack is a “highly targeted operation.” These victims are based in Taiwan, Hong Kong and Sri Lanka.
Sanmillan told Threatpost researchers haven’t been able to find the reasons why these individuals were targeted.
“We were unsuccessful finding correlations that would suggest any relationships among victims,” said Sanmillan. “However, based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of collecting intelligence on targets somehow involved in the gaming community.”
Researchers claim that the attack vector stems from NoxPlayer’s update mechanism. They said they have “sufficient evidence” to show that the BigNox infrastructure (res06.bignox.com) was compromised to host malware. They also assert that BigNox’s HTTP API infrastructure (api.bignox.com), used for requests and responses between the clients and BigNox servers, may have been compromised as well.
A normal NoxPlayer update process works as follows: Upon launch NoxPlayer queries the update server via the BigNox HTTP API (api.bignox.com) in order to retrieve specific update information. If NoxPlayer detects a newer version of the software, it prompts the user with an option to install it. If the user chooses to update, the main NoxPlayer binary application (Nox.exe) supplies update parameters received to another binary in its toolbox (NoxPack.exe), which is in charge of downloading the update.
For victims, the attack occurs when the BigNox API server responds to the client request with specific update information, including the URL to download the update from BigNox legitimate infrastructure. Here, researchers believe that either the legitimate update stored in BigNox infrastructure may have been replaced with malware, or that the URL given by the BigNox API server is not used for legitimate updates. Either way, malicious files are then deployed via the update mechanism, and malware is then installed on the victim’s machine.
Unlike legitimate BigNox updates, these malicious files are not digitally signed, strongly suggesting that the BigNox build system was not compromised, but just its systems that distribute updates, said researchers.
Also, “we are highly confident that these additional updates were performed by Nox.exe supplying specific parameters to NoxPack.exe, suggesting that the BigNox API mechanism may have also been compromised to deliver tailored malicious updates,” said Sanmillan.
While it could be argued that the attack is a man-in-the-middle (MiTM) attack rather than a full-on compromise, researchers said they believe this is “unlikely.” MiTM attacks occur when an attacker intercepts communications between two parties in order to modify traffic traveling between the two. However, researchers said the attacker already had a foothold on the BigNox infrastructure. Also, they said they were unable to reproduce the download of the malware samples while using the HTTPS protocol (hosted on res06.bignox.com) from a test machine.
Researchers observed three different malware variants utilized in the attacks. While the first malware variant had not been previously detected, the second variants deployed a final payload consisting of a variant of the known Gh0st malware, a remote access trojan (RAT) that has keylogger capabilities. The third variant meanwhile deployed the known PoisonIvy RAT, which has spying capabilities, as its final payload.
While all three malware samples had slight variations in how they were deployed and their bundled components, all had basic monitoring capabilities. For instance, all malware variants were able to download specific files and directories from the victims, delete specified files from the disk, and upload files.
“The malware we analyzed contain data exfiltration, keylogging and arbitrary command execution,” Sanmillan told Threatpost. “It’s important to keep in mind that the last capability open a very wide range of opportunity for the attackers.”
“We have detected various supply-chain attacks in the last year, such as Operation SignSight or the compromise of Able Desktop among others,” said Sanmillan. “However, the supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!