Researchers have uncovered a software supply chain attack that is being used to install surveillance malware on the computers of online gamers.
The unknown attackers are targeting select users of NoxPlayer, a software package that emulates the Android operating system on PCs and Macs. People use it primarily for playing mobile Android games on these platforms. NoxPlayer-maker BigNox says the software has 150 million users in 150 countries.
Poisoning the well
Security firm Eset said on Monday that the BigNox software distribution system was hacked and used to deliver malicious updates to select users. The initial updates were delivered last September through the manipulation of two files: the main BigNox binary Nox.exe and NoxPack.exe, which downloads the update itself.
“We have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) was compromised to host malware, and also to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised,” Eset malware researcher Ignacio Sanmillan wrote. “In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. This suggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers.”
In a nutshell, the attack works this way: on launch, Nox.exe sends a request to a programming interface to query update information. The BigNox API server responds with update information that includes a URL where the legitimate update is supposed to be available. Eset speculates that the legitimate update may have been replaced with malware or, alternatively, a new filename or URL was introduced.
Malware is then installed on the target’s machine. The malicious files aren’t digitally signed the way legitimate updates are. That suggests the BigNox software build system isn’t compromised; only the systems for delivering updates are. The malware performs limited reconnaissance on the targeted computer. The attackers further tailor the malicious updates to specific targets of interest.
The BigNox API server responds to a specific target with update information that points to the location of the malicious update on an attacker-controlled server. The intrusion flow observed is depicted below.
Eset malware researcher Sanmillan added:
- Legitimate BigNox infrastructure was delivering malware for specific updates. We observed that these malicious updates were only taking place in September 2020.
- Furthermore, we observed that for specific victims, malicious updates were downloaded from attacker-controlled infrastructure subsequently and throughout the end of 2020 and early 2021.
- We are highly confident that these additional updates were performed by
Nox.exesupplying specific parameters to
NoxPack.exe, suggesting that the BigNox API mechanism may have also been compromised to deliver tailored malicious updates.
- It could also suggest the possibility that victims were subjected to a MitM attack, although we believe this hypothesis is unlikely since the victims we discovered are in different countries, and attackers already had a foothold on the BigNox infrastructure.
- Furthermore, we were able to reproduce the download of the malware samples hosted on
res06.bignox.comfrom a test machine and using https. This discards the possibility that a MitM attack was used to tamper the update binary.
Eset has observed three different malware variants being installed. There’s no sign of any of the malware trying to make financial gains on behalf of the attackers. That led the security company to believe the malware is being used to surveil targets.
Sanmillan said that of more than 100,000 Eset users who have NoxPlayer installed, only five of them received a malicious update. The numbers underscore just how targeted the attacks are. Targets are located in Taiwan, Hong Kong, and Sri Lanka.
Sanmillan said that Eset contacted BigNox with the findings and the software maker denied being affected. BigNox representatives didn’t respond to email seeking comment for this post.
Anyone who has used NoxPlayer over the past five months should take time to carefully inspect their systems for signs of compromise. Monday’s post provides a list of files and settings that will indicate when a computer has received a malicious update. While the Eset post refers only to the Windows version of the software, there’s currently no way to rule out the possibility that macOS users were targeted, too.