Among them, only 5 users received a malicious update, showing that Operation NightScout is a highly targeted operation. According to ESET telemetry, more than 100,000 of our users have Noxplayer installed on their machines. In comparison to the overall number of active NoxPlayer users, there is a very small number of victims. For non-compromised users: do not download any updates until BigNox notifies that it has mitigated the threat.īased on ESET telemetry, we saw the first indicators of compromise in September 2020, and activity continued until we uncovered explicitly malicious activity on January 25 th, 2021, at which point we reported the incident to BigNox.In case of intrusion - standard reinstall from clean media.a file named %LOCALAPPDATA%\Nox\update\UpdatePackageSilence.exe not digitally signed by BigNox.C:\Program Files\Internet Explorer\ieproxysocket.dll.C:\Program Files\Internet Explorer\ieproxysocket64.dll.How to determine if I received a malicious update or not: check if any ongoing process has an active network connection with known active C&C servers, or see if any of the malware based on the file names we provided in the report is installed in:.We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation. We have contacted BigNox about the intrusion, and they denied being affected. However, it’s important to note that the BigNox follower base is predominantly in Asian countries.īigNox also wrote an extensive blogpost in 2019 on the use of VPNs in conjunction with NoxPlayer, showing the company’s concern for their users' privacy. ![]() The company’s official website claims that it has over 150 million users in more than 150 countries speaking 20 different languages. About BigNoxīigNox is a company based in Hong Kong, which provides various products, primarily an Android emulator for PCs and Macs called NoxPlayer. We spotted similarities in loaders we have been monitoring in the past with some of the ones used in this operation, such as instances we discovered in a Myanmar presidential office website supply-chain compromise on 2018, and in early 2020 in an intrusion into a Hong Kong university. Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities. This software is generally used by gamers in order to play mobile games from their PCs, making this incident somewhat unusual. In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox's product range with over 150 million users worldwide. ![]() ![]() adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal informationīigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.ĮSET assumes no responsibility for the accuracy of the information provided by BigNox.ĭuring 2020, ESET research reported various supply-chain attacks, such as the case of WIZVERA VeraPort, used by government and banking websites in South Korea, Operation StealthyTrident compromising the Able Desktop chat software used by several Mongolian government agencies, and Operation SignSight, compromising the distribution of signing software distributed by the Vietnamese government. ![]() implement file integrity verification using MD5 hashing and file signature checks.use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks.Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |