Operation NightScout:
Supply-Chainattack targets online gaming in Asia
ESET
Researchers uncover a supply-chain attack used in cyberespionage
operation
targeting on-line gaming communities in Asia
· use only HTTPS to deliver software updates in order
to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
· implement file integrity verification using MD5
hashing and file signature checks
· adopt additional measures, notably encryption of
sensitive data, to avoid exposing users’ personal information
BigNox have
also stated that they have pushed the latest files to the update server for
NoxPlayer and that, upon startup, NoxPlayer will now run a check of the
application files previously installed on the users’ machines.
ESET assumes
no responsibility for the accuracy of the information provided by BigNox.
During 2020, ESET research
reported various supply-chain attacks, such as the case of WIZVERA
VeraPort, used by government and
banking websites in South Korea, Operation
StealthyTrident compromising
the Able Desktop chat software used by several Mongolian government agencies,
and Operation
SignSight, compromising the
distribution of signing software distributed by the Vietnamese government.
In January 2021, we
discovered a new supply-chain attack compromising the update mechanism of
NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users
worldwide.
This software is generally
used by gamers in order to play mobile games from their PCs, making this
incident somewhat unusual.
Three different malware
families were spotted being distributed from tailored malicious updates to
selected victims, with no sign of leveraging any financial gain, but rather
surveillance-related capabilities.
We spotted similarities in
loaders we have been monitoring in the past with some of the ones used in this
operation, such as instances we discovered in a Myanmar presidential office
website supply-chain compromise on 2018, and in early 2020 in an intrusion into
a Hong Kong university.
About BigNox
BigNox is a company based
in Hong Kong, which provides various products, primarily an Android emulator
for PCs and Macs called NoxPlayer. The company’s official website claims that it has over 150 million users in
more than 150 countries speaking 20 different languages. However, it’s
important to note that the BigNox follower base is predominantly in Asian
countries.
BigNox also wrote an
extensive blogpost in 2019 on the use of VPNs in conjunction
with NoxPlayer, showing the company’s concern for their users’ privacy.
We have contacted BigNox
about the intrusion, and they denied being affected. We have also offered our
support to help them past the disclosure in case they decide to conduct an
internal investigation.
Am I compromised?
· Who is affected: NoxPlayer users.
Complete article on