The deployed final payload was an instance of Gh0st RAT (with keylogger capabilities) also widely used among threat actors. The second update variant, in line with the first, was spotted being downloaded from legitimate BigNox infrastructure.The first malicious update variant does not seem to have been documented before and has enough capabilities to monitor its victims.
Three variantsĪ total of three different malicious update variants have been observed. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. On launch, if Nox Player detects a newer version of the software, it will prompt the user with a message offering the user the option to install it, thus delivering the malware.Īccording to Sanmillan, they have sufficient evidence to state that BigNox’ infrastructure had been compromised to host malware and also to suggest that their API infrastructure could have been compromised. In this supply-chain attack, the Nox Player update mechanism serves as the vector of compromise. Based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, researchers believe this may indicate the intent of intelligence collection on targets involved in the gaming community, Sanmillan said. A compromised developerĮSET researchers have identify only several victims to date, all based in Taiwan, Hong Kong and Sri Lanka. The incident was then reported to BigNox, the Hong Kong-based company that developed Nox Player-according to ESET researcher Ignacio Sanmillan. Activity then continued until researchers uncovered explicitly malicious activity this week in 2021.
The firm’s telemetry data indicated the first indicators of compromise in September 2020. The app’s update mechanism has been hacked to distribute the malware to selected victims in Asia.Ĭybersecurity investigators from ESET, who announced this campaign, have not discovered any financial gain motive, but rather, have concluded that the malware was designed for cyber espionage. Nox Player-an Android emulator for PCs and Macs-has been found to be the recent target of hackers behind three different malware families. An infected update mechanism has been found to install cyber espionage capabilities to track gamers in Asia.
0 kommentar(er)
