Cybersecurity researchers disclosed a new supply chain attack dubbed as Operation NightScout targeting online gamers by understanding the update mechanism of NoxPlayer. The highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates.

NoxPlayer, developed by Hong Kong-based BigNox, is a free Android emulator that allows users to play mobile games on PCs and Macs, with support for keyboard, gamepad, script recording, and multiple instances. Then it install’s the malware onto victims’ devices with surveillance-related capabilities.

Based on the understanding, the software and the delivered malware exhibiting surveillance capabilities, researchers believe that this may indicate the intent of collecting intelligence on the targets has somehow involved in the gaming community, said ESET researcher Ignacio Sanmillan.

According to researchers, out of more than the 100,000 users in their telemetry that have Noxplayer installed on their machines, only five users received a malicious update, showing the attack is a “highly targeted operation.” These victims are based in Taiwan, Hong Kong and Sri Lanka.

When researchers contacted, BigNox denied being affected by the attack. Researchers claim that they have “sufficient evidence” to show that the BigNox infrastructure (res06.bignox.com) was compromised to host malware. They also assert that BigNox’s HTTP API infrastructure (api.bignox.com), used for requests and responses between the clients and BigNox servers, and may have been compromised as well.

NoxPlayer update process works as follows:

• On the launch of NoxPlayer queries the update server via the BigNox HTTP API (api.bignox.com) in order to retrieve specific update information.
• If NoxPlayer detects a newer version of the software, it prompts the user with an option to install it.
• If the user chooses to update, the main NoxPlayer binary application (Nox.exe) supplies update parameters received to another binary in its toolbox (NoxPack.exe), which is in charge of downloading the update.

For victims, the attack occurs when the BigNox API server responds to the client request with specific update information, including the URL to download the update from BigNox legitimate infrastructure. Here, researchers believe that either the legitimate update stored in BigNox infrastructure may have been replaced with malware, or that the URL given by the BigNox API server is not used for legitimate updates. Either way, malicious files are then deployed via the update mechanism, and malware is then installed on the victim’s machine.

Unlike legitimate BigNox updates, these malicious files are not digitally signed, strongly suggesting that the BigNox build system was not compromised, but its the systems that distribute updates, said researchers.

To carry out the attack, the NoxPlayer updated mechanism was served as the vector to deliver trojanized versions of the software to users that, on installation, delivered three different malicious payloads.

The first malware variant had not been previously detected, second Gh0st Malware, a remote access trojan (RAT) that has keylogger capabilities, capture keystrokes, and gather sensitive information. The third variant meanwhile deployed the known PoisonIvy RAT, which has spying capabilities, as its final payload.

PoisonIvy RAT was downloaded by the BigNox updater from remote servers controlled by the threat actor and used in several high-profile malware campaigns.

While all three malware samples had slight variations in how they were deployed and their bundled components, all had basic monitoring capabilities. For instance, all malware variants were able to download specific files and directories from the victims, delete specified files from the disk, and upload files.

Recommendations:

• Uninfected NoxPlayer users are highly recommended to not download any updates until BigNox sends notification that they have mitigated the threat.
• Best practice would be to uninstall the software to be safe from malwares.
• Do not download games from unauthorised sources.
• Try not to download the beta version of the game.
• Make sure you have given only limited access to the application.
• It is advised to ensure your system is updated.