Operation NightScout, as dubbed by ESET researchers, is a highly-targeted surveillance campaign that involved distributing different malware families through malicious updates to targeted victims in Hong Kong, Taiwan, and Sri Lanka.

According to ESET researchers, the new supply-chain attack targets online gamers via the compromising of the update mechanism of NoxPlayer.

NoxPlayer is developed by Hong Kong-based company named BigNox, with an estimated userbase of more than 150 million in over 150 countries; it allows users to play mobile games on both PC and Mac.

The malware campaign is believed to have started around September 2020, with the attacks continuing until "explicitly malicious activity" in the wild was discovered on January 25, which prompted ESET researchers to report the issue to BigNox.

How the New Supply‑Chain Attack Targets Online Gaming?



The malware campaign is based on compromised software whereby the delivered malware exhibits surveillance capabilities, which is believed indicates the intent of intelligence collection on targeted victims in the gaming community.



And the NoxPlayer update mechanism serves as the vector that delivers the trojanized version of the software, which upon installation, distributes three different payloads, including Gh0st RAT that spy on victims, captures keystrokes, and gathers other sensitive information.

There is also an instances where malware binaries like PoisonIvy RAT were downloaded by the NoxPlayer updater from remote servers under the control of the threat actors.

The malware loaders employed in the attack shared similarities with a breach of a Hong Kong university in 2020, which ESET claims the operators behind the attack were responsible for breaching BigNox's infrastructure, as evidence alludes that its API have been compromised.

How NoxPlayer users can Safeguard their Systems



For NoxPlayer users who are uninfected, it is advised that they desist from downloading updates until BigNox has fixed the vulnerabilities and sends notification that they've mitigated the security threat.

Furthermore, as a best security practice it is recommended that users should uninstall the software in order to be on the safer side, and any case of intrusion, users can perform a standard reinstall process.

Operation NightScout: New Supply‑Chain Attack Targeting Online Gaming

Operation NightScout, as dubbed by ESET researchers, is a highly-targeted surveillance campaign that involved distributing different malware families through malicious updates to targeted victims in Hong Kong, Taiwan, and Sri Lanka.

According to ESET researchers, the new supply-chain attack targets online gamers via the compromising of the update mechanism of NoxPlayer.

NoxPlayer is developed by Hong Kong-based company named BigNox, with an estimated userbase of more than 150 million in over 150 countries; it allows users to play mobile games on both PC and Mac.

The malware campaign is believed to have started around September 2020, with the attacks continuing until "explicitly malicious activity" in the wild was discovered on January 25, which prompted ESET researchers to report the issue to BigNox.

How the New Supply‑Chain Attack Targets Online Gaming?



The malware campaign is based on compromised software whereby the delivered malware exhibits surveillance capabilities, which is believed indicates the intent of intelligence collection on targeted victims in the gaming community.



And the NoxPlayer update mechanism serves as the vector that delivers the trojanized version of the software, which upon installation, distributes three different payloads, including Gh0st RAT that spy on victims, captures keystrokes, and gathers other sensitive information.

There is also an instances where malware binaries like PoisonIvy RAT were downloaded by the NoxPlayer updater from remote servers under the control of the threat actors.

The malware loaders employed in the attack shared similarities with a breach of a Hong Kong university in 2020, which ESET claims the operators behind the attack were responsible for breaching BigNox's infrastructure, as evidence alludes that its API have been compromised.

How NoxPlayer users can Safeguard their Systems



For NoxPlayer users who are uninfected, it is advised that they desist from downloading updates until BigNox has fixed the vulnerabilities and sends notification that they've mitigated the security threat.

Furthermore, as a best security practice it is recommended that users should uninstall the software in order to be on the safer side, and any case of intrusion, users can perform a standard reinstall process.

No comments