Cyberspies Delivered Malware to Gamers via Supply Chain Attack

Researchers at cybersecurity firm ESET say they have uncovered an espionage campaign that has targeted online gamers in Asia through a compromised software company.

Called Operation NightScout, the campaign apparently involved a breach at BigNox, the company behind NoxPlayer, an Android emulator that allows users to run mobile apps on PCs or Macs, and which claims to have more than 150 million users worldwide, most of them located in Asia.

After compromising the update mechanism for NoxPlayer, the threat actor behind the attack pushed a series of tailored malicious updates that resulted in three different malware families being installed on the devices of a handful of selected victims.

The highly targeted nature of the attack, ESET’s security researchers say, suggests that the purpose of this campaign is surveillance, and not financial gain: only five out of 100,000 ESET users running NoxPlayer on their machines received a malicious update.

The updates were delivered to victims in Hong Kong, Sri Lanka, and Taiwan, but ESET was unable to find connections between the victims, aside from the use of the same gaming emulator.

In addition to compromising the BigNox infrastructure to host malware, the threat actor might have compromised the company’s HTTP API infrastructure, ESET says, explaining that additional payloads were observed being downloaded by the BigNox updater from attacker’s servers.

“This suggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers,” the researchers note.

ESET says it has notified BigNox about its findings, but the company has apparently denied being breached.

The malicious updates were sent to victims in September 2020, with additional payloads downloaded from attacker-controlled infrastructure at the end of 2020 and in early 2021, most likely through the BigNox API mechanism.

Undocumented before, the first malware variant delivered in the attack allows adversaries to monitor victims, but can also execute commands received from the command and control (C&C) server, to delete files, run commands, download or upload files, or download a directory.

The second malware, ESET says, was found to be a variant of the Gh0st RAT that includes keylogger capabilities.

Only delivered as part of activity subsequent to the initial malicious updates, the third malware was an instance of the PoisonIvy RAT.

“The supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers. Supply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and its complexity may impact the discovery and mitigation of these type of incidents,” ESET concludes.

Related: Russian Hack of US Agencies Exposed Supply Chain Weaknesses

Related: Over 250 Organizations Breached via SolarWinds Supply Chain Hack: Report

Related: Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk