The researchers found an attack on the software supply chain that is being used to install surveillance malware on online players’ computers.
Unknown attackers target selected users of NoxPlayer, a software package that emulates the Android operating system on PCs and Macs. People mainly use it to play Android mobile games on these platforms. BigNox, maker of NoxPlayer, says the software has 150 million users in 150 countries.
Poisoning the well
Security firm Eset said on Monday that the BigNox software distribution system was hacked and used to deliver malicious updates to selected users. Initial updates were delivered last September through the manipulation of two files: the main binary of BigNox Nox.exe and NoxPack.exe, which downloads the update on its own.
“We have enough evidence to say that BigNox’s infrastructure (res06.bignox.com) has been compromised to host malware and also to suggest that its HTTP API infrastructure (api.bignox.com) may have been compromised,” said Ignacio, a researcher. of Eset’s malware. Sanmillan wrote. “In some cases, additional payloads were downloaded by the BigNox updater from servers controlled by the attacker. This suggests that the URL field, provided in the BigNox API response, has been tampered with by attackers. “
In a nutshell, the attack works like this: at startup, Nox.exe sends a request to a programming interface to check for update information. The BigNox API server responds with update information that includes a URL where the legitimate update should be available. Eset speculates that the legitimate update may have been replaced by malware or, alternatively, a new file name or URL has been introduced.
The malware is then installed on the target machine. Malicious files are not digitally signed like legitimate updates. This suggests that the BigNox software build system is not compromised; only update delivery systems are. The malware performs limited awareness on the target computer. Attackers further adapt malicious updates to specific targets of interest.
The BigNox API server responds to a specific target with update information that points to the location of the malicious update on an attacker-controlled server. The observed intrusion flow is shown below.
Eset
Sanmillan, a malware researcher at Eset, added:
- BigNox’s legitimate infrastructure provided malware for specific updates. We note that these malicious updates only occurred in September 2020.
- In addition, we noted that, for specific victims, malicious updates were downloaded from the attacker-controlled infrastructure later on and throughout late 2020 and early 2021.
- We are highly confident that these additional updates were carried out by
Nox.exeproviding specific parameters forNoxPack.exe, suggesting that the BigNox API engine may also have been compromised to deliver customized malicious updates.- It can also suggest the possibility that the victims were subjected to a MitM attack, although we believe that this hypothesis is unlikely, since the victims we discovered are in different countries and the attackers already had a base in the BigNox infrastructure.
- In addition, we were able to reproduce the download of malware samples hosted on
res06.bignox.comfrom a testing machine and using https. This rules out the possibility that a MitM attack was used to violate the update binary.
Eset observed three different malware variants being installed. There is no sign that any malware is trying to make financial gains on behalf of the attackers. This has led the security company to believe that the malware is being used to monitor targets.
Sanmillan said that out of more than 100,000 Eset users who have NoxPlayer installed, only five of them received a malicious update. The numbers emphasize how targeted the attacks are. The targets are located in Taiwan, Hong Kong and Sri Lanka.
Sanmillan said Eset contacted BigNox with the findings and the software manufacturer denied being affected. BigNox representatives did not respond to the email asking for comments on this post.
Anyone who has used NoxPlayer in the past five months should take the time to carefully inspect their systems for signs of compromise. Monday’s post provides a list of files and settings that will indicate when a computer received a malicious update. Although Eset’s post refers only to the Windows version of the software, there is currently no way to rule out the possibility that macOS users will also be targeted.