AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
![]() ![]() The researchers also observed that throughout the end of 2020 and the start of 2021, certain victims were infected with other malware. Reconnaissance is pinned as the main purpose of this yet unknown malware. Malware was then executed on affected systems. These new download URLs mimicked the legitimate download location of the NoxPlayer update. It's thought that either the attackers replaced the legitimate update file with malware, or changed the file name or download URL to point to a destination they controlled. The researchers believe that certain sections of the BigNox infrastructure were compromised. This includes the URL where the update file is housed. In the post, ESET explains that upon opening NoxPlayer-and before a message pops up telling users that a software update is available for download-the program queries the update server via the BigNox HTTP API to check for updates and if so, retrieves update-related information. How users can get infectedĮverything starts and happens at the backend where users cannot see what is really going on. In this case, attackers manipulated two files: Nox.exe, the main NoxPlayer file, and NoxPack.exe, the downloader of the update itself. What we see here is the latest example of a supply-chain attack, wherein threat actors were able to manipulate a legitimate executable file to make it behave in a way it’s not supposed to. All they did was download the update for NoxPlayer. Affected users didn’t have to visit a potentially dubious website to get malware. Recently, ESET revealed a campaign that targeted users of NoxPlayer, a popular Android emulator for PCs and Macs. They introduce a level of flexibility that not only allows another system to run on top of a user’s operating system-a Windows OS running on a MacBook laptop, for example-but also allows video gamers to play games designed to work on a different platform than the one they own. It is unclear if the NoxPlayer compromise is the work of a state-sponsored group or a financially-motivated group looking to compromise game developers.ĮSET did, however, point out that the three malware strains deployed via malicious NoxPlayer updates had "similarities" with other malware strains used in a Myanmar presidential office website supply-chain compromise in 2018 and in early 2020 in an intrusion into a Hong Kong university.Emulators have played a part in many tech-savvy users’ lives. The second is the case of the VGCA, the official certificate authority of the Vietnamese government.ĮSET researchers did not formally link this incident to a well-known hacking group. The first is the case of Able Desktop, software used by many Mongolian government agencies. ![]() This incident is also the third supply chain attack discovered by ESET over the past two months. Until today, and based on its own telemetry, ESET said it spotted malware-laced NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong Kong, and Sri Lanka.ĮSET has released today a report with technical details for NoxPlayers to determine if they received a malware-laced update and how to remove the malware.Ī BigNox spokesperson did not return a request for comment. ![]() "Three different malware families were spotted being distributed from tailored malicious updates toselected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities," ESET said in a report shared today with ZDNet.ĭespite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn't target all of the company's users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users. Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server in order to deliver malware to NoxPlayer users. The attack was discovered by Slovak security firm ESET on January 25, last week, and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops.ĮSET says that based on evidence its researchers gathered, a threat actor compromised one of the company's official API () and file-hosting servers (). Only five detected until now, in countries such as Taiwan, Hong Kong, and Sri Lanka.īy Catalin Cimpanu for Zero Day | Febru- 10:30 GMT (10:30 GMT) | Topic: SecurityĪ mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack. Attackers targeted only a handful of victims. ![]()
0 Comments
Read More
Leave a Reply. |