Researchers have revealed that software used for downloading Android apps onto PCs & Macs has been compromised to install malware onto victim devices.
Researchers allege, attackers have compromised the update mechanism of NoxPlayer, which is software that allows gamers to run Android apps on their PCs or Macs. They then installed malware onto victims’ devices with surveillance-related capabilities.
NoxPlayer is developed by BigNox, which is a China-based company that claims that it has over 150m users worldwide (notably, however, BigNox users are predominantly in Asian countries). When contacted by researchers, BigNox denied being affected by the attack.
Internal Investigation
“We have contacted BigNox about the intrusion, & they denied being affected,” observed Ignacio Sanmillan, malware researcher with ESET, on Mon. “We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation.”
After the alleged attack, which occurred Jan. 2021, 3 different malware families have been used – reportedly from tailored, malicious updates – to a very select set of victims.
Researchers outlined, that out of more than the 100,000 users in their telemetry that have Noxplayer installed on their machines, only 5 users received a malicious update, showing the attack is a “highly targeted operation.” These victims are based in Taiwan, Hong Kong & Sri Lanka.
Targeted
Sanmillan observed researchers have not been able to find the reasons why these individuals were targeted.
“We were unsuccessful finding correlations that would suggest any relationships among victims,” stated Sanmillan.
“However, based on the compromised software in question & the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of collecting intelligence on targets somehow involved in the gaming community.”
Update Mechanism
Researchers claim that the attack vector stems from NoxPlayer’s update mechanism. They said they have “sufficient evidence” to show that the BigNox infrastructure (res06.bignox.com) was compromised to host malware.
They also assert that BigNox’s HTTP API infrastructure (api.bignox.com), used for requests and responses between the clients & BigNox servers, may have been compromised as well.
Newer Version
A normal NoxPlayer update process works thus: Upon launch NoxPlayer queries the update server via the BigNox HTTP API (api.bignox.com) in order to retrieve specific update information. If NoxPlayer detects a newer version of the software, it prompts the user with an option to install it.
If the user chooses to update, the main NoxPlayer binary application (Nox.exe) supplies update parameters received to another binary in its toolbox (NoxPack.exe), which is in charge of downloading the update.
BigNox API Server
For victims, the attack occurs when the BigNox API server responds to the client request with specific update information, including the URL to download the update from BigNox legitimate infrastructure.
Here, researchers believe that either the legitimate update stored in BigNox infrastructure may have been replaced with malware, or that the URL given by the BigNox API server is not used for legitimate updates. Either way, malicious files are then deployed via the update mechanism, and malware is then installed on the victim’s machine.
Malicious Files
Unlike legitimate BigNox updates, these malicious files are not digitally signed, strongly suggesting that the BigNox build system was not compromised, but just its systems that distribute updates, said researchers.
Also, “we are highly confident that these additional updates were performed by Nox.exe supplying specific parameters to NoxPack.exe, suggesting that the BigNox API mechanism may have also been compromised to deliver tailored malicious updates,” explained Sanmillan.
Although it could be argued that the attack is a man-in-the-middle (MiTM) attack rather than a full-on compromise, researchers commented they believe this is “unlikely.” MiTM attacks occur when an attacker intercepts communications between the 2 parties in order to modify traffic traveling between the two.
HTTPS Protocol
However, researchers said the attacker already had a foothold on the BigNox infrastructure. Also, they outlined that they were unable to reproduce the download of the malware samples while using the HTTPS protocol (hosted on res06.bignox.com) from a test machine.
Researchers observed 3 different malware variants utilised in the attacks. While the 1st malware variant had not been previously detected, the 2nd variants deployed a final payload consisting of a variant of the known Gh0st malware, a remote access trojan (RAT) that has keylogger capabilities. The 3rd variant meanwhile deployed the known PoisonIvy RAT, which has spying capabilities, as its final payload.
Slight Variations
While all 3 malware samples had slight variations in how they were deployed & their bundled components, all had basic monitoring capabilities. For instance, all malware variants were able to download specific files & directories from the victims, delete specified files from the disk, & upload files.
“The malware we analysed contain data exfiltration, keylogging & arbitrary command execution,” Sanmillan explained. “It’s important to keep in mind that the last capability open a very wide range of opportunity for the attackers.”
Gaming Victimology
The targeted gaming victimology makes this campaign stand out, observed researchers, as cyberespionage attacks are typically instead targeted at govts. or human-rights activists.
“We have detected various supply-chain attacks in the last year, such as Operation SignSight or the compromise of Able Desktop among others,” concluded Sanmillan. “However, the supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyber-espionage operations targeting online gamers.”
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/