The server infrastructure of a popular Android emulator was allegedly compromised in a cyber espionage campaign that targeted online gamers in Asia, with only a handful of selected victims receiving malware.
Dubbed “Operation NightScout” by ESET researchers, the highly-targeted supply-chain attack involved compromised update mechanism of NoxPlayer, an Android emulator for PCs and Macs, used by gamers in order to play mobile games from their computers.
The campaign was discovered on January 25, 2021, and targeted BigNox, a Hong Kong-based company behind NoxPlayer, which claims to have more than 150 million users worldwide, most of them located in Asia.
According to ESET, the malicious actor compromised one of the company's official API (api.bignox.com) and file-hosting servers (res06.bignox.com). The attackers then tampered with the URL field, provided in the reply from the BigNox API, in order to deliver malware-laced updates to users.
The researchers said that they informed BigNox of a security breach, but the company denied it was hacked.
ESET telemetry showed that more than 100,000 of users had Noxplayer installed on their machines, however, only five of them received a malicious update. These users were based in Taiwan, Hong Kong and Sri Lanka, and researchers were unable to find connections between the victims.
Based on its findings the security firm believes that the purpose of this campaign is cyber espionage, not financial gain.
The malicious updates were sent to victims in September 2020, with additional payloads downloaded from attacker-controlled infrastructure at the end of 2020 and in early 2021.
The researchers identified three malware families delivered via this supply-chain attack. One was a previously unreported malware, not extremely complex, but capable of monitoring victims. The other two malware strains included a variant of the Ghost RAT with keylogger capabilities, and a variant of the PoisonIvy RAT.
“The supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers. Supply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and its complexity may impact the discovery and mitigation of these type of incidents,” ESET noted.