Researchers have discovered a software attack in the supply chain used to install surveillance malware on the computers of online gamers.
The unknown attackers target selected users of NoxPlayer, a software package that emulates the Android operating system on PCs and Macs. People mainly use it for playing Android mobile games on these platforms. NoxPlayer creator BigNox says the software has 150 million users in 150 countries.
Poison the pit
Security firm Eset said Monday that the BigNox software distribution system has been hacked and used to deliver malicious updates to selected users. The first updates were delivered last September through the manipulation of two files: the main BigNox binary Nox.exe and NoxPack.exe, which downloads the update itself.
“We have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) has been compromised to host malware, as well as to suggest that their HTTP API infrastructure (api.bignox.com) may have been compromised,” Eset malware researcher Ignacio Sanmillan wrote. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. This suggests that the URL field provided in the response from the BigNox API has been tampered with by the attackers. “
In a nutshell, the attack works like this: At launch, Nox.exe sends a request to a programming interface to request update information. The BigNox API server responds with update information containing a URL where the legitimate update should be available. Eset speculates that the legitimate update may have been replaced by malware or that a new file name or URL may have been introduced.
Malware is then installed on the target’s computer. The malicious files are not digitally signed like legitimate updates. That suggests that the BigNox software build system has not been compromised; are only the systems for delivering updates. The malware performs limited crawls on the targeted computer. The attackers further tailor the malicious updates to specific targets of interest.
The BigNox API server responds to a specific target with update information that points to the location of the malicious update on an attacker-controlled server. The detected intrusion flow is shown below.
Eset
Eset malware researcher Sanmillan added:
- The legitimate BigNox infrastructure provided malware for specific updates. We determined that these malicious updates did not happen until September 2020.
- Furthermore, we found that malicious updates were downloaded from attacker-controlled infrastructure for specific victims, after and during late 2020 and early 2021.
- We are confident that these additional updates have been made by
Nox.exeproviding specific parametersNoxPack.exe, suggesting that the BigNox API mechanism may also have been compromised to deliver tailored malicious updates.- It could also suggest the possibility that victims were subject to a MitM attack, although we think this hypothesis is unlikely given that the victims we discovered are in different countries and attackers already had a foothold on the BigNox infrastructure .
- In addition, we were able to download the malware samples hosted on
res06.bignox.comfrom a test machine and using https. This eliminates the possibility that a MitM attack was used to manipulate the update binary.
Eset has observed three different malware variants installed. There is no sign that the malware is seeking financial benefits on behalf of the attackers. That led the security company to believe that the malware is being used to monitor targets.
Sanmillan said of the more than 100,000 Eset users who have installed NoxPlayer, only five have received a malicious update. The numbers underline how targeted the attacks are. Targets are located in Taiwan, Hong Kong and Sri Lanka.
Sanmillan said Eset contacted BigNox with the findings and the software maker denied having been affected. BigNox representatives did not respond to email requesting comment for this post.
Anyone who has used NoxPlayer for the past five months should take the time to carefully inspect their systems for signs of compromise. Monday’s message includes a list of files and settings that indicate when a computer received a malicious update. While the Eset message only refers to the Windows version of the software, there is currently no way to rule out the possibility that macOS users were also targeted.