{"id":26014,"date":"2021-02-10T09:45:41","date_gmt":"2021-02-10T01:45:41","guid":{"rendered":"https:\/\/version-2.com\/?p=26014"},"modified":"2022-04-20T12:48:10","modified_gmt":"2022-04-20T04:48:10","slug":"eset-uncovers-operation-nightscout-cyberespionage-supply-chain-attack-on-gamers-in-asia","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2021\/02\/eset-uncovers-operation-nightscout-cyberespionage-supply-chain-attack-on-gamers-in-asia\/","title":{"rendered":"ESET uncovers Operation NightScout: Cyberespionage supply-chain attack on gamers in Asia"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

BRATISLAVA, MONTREAL<\/strong>\u00a0\u2013 A few days ago, ESET researchers discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs. Three different malware families were spotted being distributed from tailored malicious updates to selected victims with no sign of leveraging any financial gain, but rather, only cyberespionage capabilities were seen. ESET dubbed the malicious operation NightScout.<\/p>\n

\nBigNox is a company based in Hong Kong that provides various products, primarily an Android emulator for PCs and Macs called NoxPlayer. The company claims that it has more than 150 million users in over 150 countries who speak at least 20 different languages. That said, BigNox\u2019s follower base is predominantly in Asian countries.<\/p>\n

\n\u201cBased on ESET telemetry, we saw the first indicators of compromise in September 2020. Activity continued apace until we uncovered explicitly malicious activity this week, at which point we reported the incident to BigNox,\u201d says ESET researcher Ignacio Sanmillan, who revealed Operation NightScout.<\/p>\n

\nOperation NightScout is a highly targeted operation with ESET researchers able to identify only several victims. Those identified victims are based in Taiwan, Hong Kong and Sri Lanka. \u201cBased on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of intelligence collection on targets involved in the gaming community,\u201d elaborates Sanmillan.<\/p>\n

Map<\/strong> – Distribution of NightScout victims<\/i><\/p>\n\n

\"\"<\/p>\n

In this specific supply-chain attack, the NoxPlayer update mechanism served as the vector of compromise. On launch, if NoxPlayer detects a newer version of the software, it will prompt the user with a message box offering the user the option to install it, thus delivering the malware.\n<\/p>\n

\n\u201cWe have sufficient evidence to state that BigNox\u2019s infrastructure was compromised to host malware and also to suggest that their API infrastructure could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers,\u201d adds Sanmillan.\n<\/p>\n

 <\/p>\n

\nA total of three different malicious update variants were observed by ESET researchers. The first malicious update variant does not seem to have been documented before and has enough capabilities to monitor its victims. The second update variant, in line with the first, was spotted being downloaded from legitimate BigNox infrastructure. The deployed final payload was an instance of Gh0st RAT (with keylogger capabilities) also widely used among threat actors\n<\/p>\n

\nThe third variant, PoisonIvy RAT \u2014 a remote access tool popular with cybercriminals was only spotted in activity subsequent to the initial malicious updates and downloaded from attacker-controlled infrastructure.\n<\/p>\n

\nESET has spotted similarities between loaders that our researchers have monitored in the past and some of those used in Operation NightScout. The similarities we see relate to instances discovered in a Myanmar presidential office website supply-chain compromise in 2018, and in early 2020 in an intrusion into a Hong Kong university.\n<\/p>\n

\n\u201cTo be on the safe side, in case of intrusion, perform a standard reinstall from clean media. For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat, furthermore, best practice would be to uninstall the software,\u201d, advises Sanmillan.\n<\/p>\n

\nFor more technical details about Operation NightScout,\u00a0read the blogpost \u201cOperation NightScout: Supply-chain attack targets online gaming in Asia\u201d<\/a>\u00a0on WeLiveSecurity. Make sure to follow\u00a0ESET Research on Twitter<\/a>\u00a0for the latest news from ESET Research.<\/p>\n

[Update \u2013 February 3, 2021]
\nFollowing the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:<\/p>\n\n