A New Software Supply‑Chain Attack Targeted Millions With Spyware

Cybersecurity researchers today disclosed a new supply chain attack compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs.

Dubbed “Operation NightScout” by Slovak cybersecurity firm ESET, the highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates to selected victims based in Taiwan, Hong Kong, and Sri Lanka.

NoxPlayer, developed by Hong Kong-based BigNox, is an Android emulator that allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. It is estimated to have over 150 million users in more than 150 countries.

First signs of the ongoing attack are said to have originated around September 2020, from when the compromise continued until “explicitly malicious activity” was uncovered this week, prompting ESET to report the incident to BigNox.

“Based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of intelligence collection on targets involved in the gaming community,” said ESET researcher Ignacio Sanmillan.

To carry out the attack, the NoxPlayer update mechanism served as the vector to deliver trojanized versions of the software to users that, upon installation, delivered three different malicious payloads such as Gh0st RAT to spy on its victims, capture keystrokes, and gather sensitive information.

Separately, researchers found cases where additional malware like PoisonIvy RAT was downloaded by the BigNox updater from remote servers controlled by the threat actor.

“PoisonIvy RAT was only spotted in activity subsequent to the initial malicious updates and downloaded from attacker-controlled infrastructure,” Sanmillan said.

First released in 2005, PoisonIvy RAT has been used in several high-profile malware campaigns, most notably in the 2011 compromise of RSA SecurID data.

Noting that the malware loaders used in the attack shared similarities with that of a compromise of Myanmar presidential office website in 2018 and a breach of a Hong Kong university last year, ESET said the operators behind the attack breached BigNox’s infrastructure to host the malware, with evidence alluding to the fact that its API infrastructure could have been compromised.

“To be on the safe side, in case of intrusion, perform a standard reinstall from clean media,” Sanmillan said. “For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat. Furthermore, [the] best practice would be to uninstall the software.”