Image: BigNox, ZDNet
A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and delivered malware to a handful of victims in Asia in a highly targeted supply chain attack.
The attack was discovered by Slovakian security company ESET on January 25 last week and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops.
ESET says that based on evidence collected by its researchers, a threat actor is one of the company’s official APIs (api.bignox.com) and file hosting servers (res06.bignox.com).
Using this access, hackers messed with the download URL of NoxPlayer updates in the API server to deliver malware to NoxPlayer users.
“Three different malware families were distributed from tailor-made malicious updates to selected victims, with no sign of financial gain, but rather surveillance-related capabilities,” said ESET in a report shared today with ZDNet.
Despite evidence that attackers had been able to access BigNox servers since at least September 2020, ESET said the threat actor was not targeting all users of the company, but instead specific machines, suggesting that this was a highly targeted attack that only a certain class of users.
To date, based on its own telemetry, ESET said NoxPlayer updates containing malware were delivered to just five victims in Taiwan, Hong Kong and Sri Lanka.
Image: ESET
ESET today released a report with technical details for NoxPlayers to determine if they have received a malware update and how to remove the malware.
A BigNox spokesperson did not return a request for comment.
This incident is also the third supply chain attack discovered by ESET in the past two months. The first is the case of Able Desktop, software used by many Mongolian government agencies. The second is the case of the VGCA, the official certification body of the Vietnamese government.
ESET researchers did not formally link this incident to any known hacking group. It’s unclear whether NoxPlayer’s compromise is the work of a state-sponsored group or a financially motivated group seeking to put game developers at risk.
However, ESET pointed out that the three malware strains deployed via malicious NoxPlayer updates had “ similarities ” to other malware strains used in a supply chain compromise of a presidential office in Myanmar in 2018 and early 2020 in a breach of a university in Hong Kong. .