# Operation NightScout: Supply‑chain attack targets online gaming in Asia ##### ESET researchers uncover a supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia [Ignacio Sanmillan](https://www.welivesecurity.com/author/isanmillan/) 1 Feb 2021 - 11:30AM Share [During 2020, ESET research reported various supply-chain attacks, such as the case of WIZVERA VeraPort, used by](https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/) [government and banking websites in South Korea, Operation StealthyTrident compromising the Able Desktop chat software](https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/) [used by several Mongolian government agencies, and Operation SignSight, compromising the distribution of signing](https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/) ##  software distributed by the Vietnamese government. ##  In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android ## emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide. This software is generally used by gamers in order to play mobile games from their PCs, making this incident somewhat unusual. Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities. We spotted similarities in loaders we have been monitoring in the past with some of the ones used in this operation, such as instances we discovered in a Myanmar presidential office website supply-chain compromise on 2018, and in early 2020 in an intrusion into a Hong Kong university. ----- BigNox is a company based in Hong Kong, which provides various products, primarily an Android emulator for PCs and Macs [called NoxPlayer. The company’s official website claims that it has over 150 million users in more than 150 countries speaking](https://www.bignox.com/about) 20 different languages. However, it’s important to note that the BigNox follower base is predominantly in Asian countries. [BigNox also wrote an extensive blogpost in 2019 on the use of VPNs in conjunction with NoxPlayer, showing the company’s](https://www.bignox.com/blog/top-10-best-vpn-noxplayer-2019/) concern for their users’ privacy. We have contacted BigNox about the intrusion, and they denied being affected. We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation. ### Am I compromised? _Who is affected: NoxPlayer users._ _How to determine if I received a malicious update or not: check if any ongoing process has an active network connection with known active_ C&C servers, or see if any of the malware based on the file names we provided in the report is installed in: ``` C:\ProgramData\Sandboxie\SbieIni.dat C:\ProgramData\Sandboxie\SbieDll.dll C:\ProgramData\LoGiTech\LBTServ.dll C:\Program Files\Internet Explorer\ieproxysocket64.dll C:\Program Files\Internet Explorer\ieproxysocket.dll ``` a file named %LOCALAPPDATA%\Nox\update\UpdatePackageSilence.exe not digitally signed by BigNox. _How to stay safe:_ In case of intrusion – standard reinstall from clean media. For non-compromised users: do not download any updates until BigNox notifies that it has mitigated the threat. ### Timeline Based on ESET telemetry, we saw the first indicators of compromise in September 2020, and activity continued until we uncovered explicitly malicious activity on January 25, 2021, at which point we reported the incident to BigNox.th ### Victimology In comparison to the overall number of active NoxPlayer users, there is a very small number of victims. According to ESET telemetry, more than 100,000 of our users have Noxplayer installed on their machines. Among them, only 5 users received a malicious update, showing that Operation NightScout is a highly targeted operation. The victims are based in Taiwan, Hong Kong and Sri Lanka. ----- _Figure 1. Asia victimology map_ We were unsuccessful finding correlations that would suggest any relationships among victims. However, based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of collecting intelligence on targets somehow involved in the gaming community. It is important to highlight that, in contrast with similar previous operations such as the Winnti Group activity targeting the gaming industry in 2019, we haven’t found indicators that would suggest indiscriminate proliferation of malicious updates among a large number NoxPlayer users, reinforcing our belief that this is a highly targeted operation. ### Update mechanism In order to understand the dynamics of this supply-chain attack, it’s important to know what vector was used in order to deliver malware to NoxPlayer users. This vector was NoxPlayer’s update mechanism. On launch, if NoxPlayer detects a newer version of the software, it will prompt the user with a message box (Figure 2) to offer the option to install it. _Figure 2. NoxPlayer update prompt_ This is done by querying the update server via the BigNox HTTP API (api.bignox.com) in order to retrieve specific update information, as seen in Figure 3. ----- _Figure 3. NoxPlayer client update API request_ The response to this query contains update-specific information such as the update binary URL, its size, MD5 hash and other additional related information as seen in Figure 4. _Figure 4. NoxPlayer server API reply_ Upon pressing the “Update now” button from Figure 1, the main NoxPlayer binary application Nox.exe will supply the update parameters received to another binary in its toolbox NoxPack.exe, which is in charge of downloading the update itself, as can be seen in Figure 5. _Figure 5. NoxPlayer execution chain on update_ After this is done, the progress bar in the message box will reflect the state of the download (Figure 6), and when completed the update has been performed. _Figure 6. NoxPlayer update ongoing via_ ``` NoxPack.exe ``` ----- We have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) was compromised to host malware, and also to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. This suggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers. The intrusion flow observed is depicted in Figure 7. _Figure 7. Intrusion flow sequence diagram_ An overview of what’s shown in the sequence diagram above is the following: 1. On launch, the primary NoxPlayer executable Nox.exe will send a request via the API to query update information. 2. The BigNox API server responds to the client request with specific update information, including the URL to download the update from BigNox legitimate infrastructure. 3. `Nox.exe provides the appropriate parameters to NoxPlayer.exe to download the update.` 4. The legitimate update stored in BigNox infrastructure could have been replaced with malware, or it may be a new filename/URL not used by legitimate updates. 5. Malware is installed on the victim’s machine. Contrary to legitimate BigNox updates, the malicious files are not digitally signed, strongly suggesting that the BigNox build system was not compromised, but just its systems that distribute updates. 6. Some reconnaissance of the victim is performed and information sent to the malware operators. 7. The perpetrators tailor malicious updates to specific victims of interest based on some unknown filtering scheme. 8. `Nox.exe will perform sporadic update requests.` 9. The BigNox API server responds to the client with update information, which states that the update is stored in the attacker-controlled infrastructure. 10. Further malware gets delivered to selected victims. With this information we can highlight several things: Legitimate BigNox infrastructure was delivering malware for specific updates. We observed that these malicious updates were only taking place in September 2020. ----- It could also suggest the possibility that victims were subjected to a MitM attack, although we believe this hypothesis is unlikely since the victims we discovered are in different countries, and attackers already had a foothold on the BigNox infrastructure. Furthermore, we were able to reproduce the download of the malware samples hosted on res06.bignox.com from a test machine and using https. This discards the possibility that a MitM attack was used to tamper the update binary. It is also important to mention that malicious updates downloaded from the attacker-controlled infrastructure mimicked the path of legitimate updates: Malicious update to attacker-controlled infrastructure: ``` http://cdn.cloudfronte[.]com/player/upgrade/ext/20201030/1/35e3797508c555d5f5e19f721cf94700.exe ``` Legitimate NoxPlayer update: ``` http://res06.bignox[.]com/player/upgrade/202012/1b31bced0a564bed9f60264f061dcdae.exe ``` Furthermore, registered attacker-controlled domain names mimicked the BigNox CDN network domain name, that being ``` cloudfront.net. ``` These indicators suggest that attackers were trying to avoid detection so that they could remain under the radar and achieve long-term persistence. ### Malware A total of three different malicious update variants were observed, each of which dropped different malware. These variants are the following: #### Malicious Update variant 1 This variant is one of the preliminary updates pointing to compromised BigNox infrastructure. Our analysis is based on the sample with SHA-1 CA4276033A7CBDCCDE26105DEC911B215A1CE5CF. The malware delivered does not seem to have been documented before. It is not extremely complex, but it has enough capabilities to monitor its victims. The initial RAR SFX archive drops two DLLs into ``` C:\Program Files\Internet Explorer\ and runs one of them, depending on architecture, via rundll32.exe. The ``` names of these DLLs are the following: ``` ieproxysocket64.dll ieproxysocket.dll ``` It also drops a text file named KB911911.LOG to disk, into which the original name of the SFX installer will be written. The DLL attempts to open and read this log file, and if not found will stop execution, therefore implementing an execution guardrail. ----- ``` winlogon.exe csrss.exe wininit.exe services.exe explorer.exe ``` The IP address of the machine will be checked to verify that it is neither 127.0.0.1 nor 0.0.0.0; if it is, it will be rechecked in an infinite loop until it changes. Otherwise, it will proceed to extract the UUID of the current machine via a WMI object query. This returned UUID is hashed using MD5 to serialize the current victim. Account name information will also be retrieved and saved. An encrypted configuration will be retrieved from the DLL’s resource. This configuration is encrypted using a two-byte XOR with 0x5000. The encrypted configuration is partially visible given the weakness of the key used: _Figure 8. Encrypted configuration in resources_ The format of this configuration is the following (roughly): Offset Size Comment 0x00 0x08 Fake JPG header magic 0x08 0x12C Buffer holding tokenized C&C information 0x134 0x14 Buffer holding port for C&C communication 0x148 0x14 Sleep time 0x15C 0x14 Operate flag; don’t operate with network monitoring tools deployed or if this flag is set 0x170 0x14 N/A 0x184 0x14 DNS flag; append a token at the end of a hostname buffer with either |UDP or |DNS, depending on the value of this field ----- g p p p p g g p running: ``` netman.exe wireshark.exe ``` The backdoor can use either a raw IP address or a domain name to communicate with the C&C server. After successful connection to the C&C, the malware will be able to perform the following commands: Command ID Specification getfilelist-delete Delete specified files from the disk getfilelist-run Run a command via the WinExec API getfilelist-upload Upload a file via ScreenRDP.dll::ConnectRDServer getfilelist-downfile1 Download a specific file getfilelist-downfile2 Download a specific directory getfilelist-downfile3 Same as getfilelist-downfile2 \\tsclient drive redirection of certain directories (starting with A: for range(0x1A)) _Figure 9. Anatomy of malicious update variant 1_ #### Malicious Update variant 2 This malware variant was also spotted being downloaded from legitimate BigNox infrastructure. Our analysis is based on the sample with SHA-1 E45A5D9B03CFBE7EB2E90181756FDF0DD690C00C. It contains several files comprising what is known as a trident bundle, in which a signed executable is used to load a malicious DLL which will decrypt and load a shellcode implementing a reflective loader for the final payload ----- p g Filename Description `C:\ProgramData\Sandboxie\SandboxieBITS.exe` Signed Sandboxie COM Services (BITS) `C:\ProgramData\Sandboxie\SbieDll.dll` Malicious hijacked DLL Malicious encrypted payload; decrypts a reflectively loaded instance of ``` C:\ProgramData\Sandboxie\SbieIni.dat ``` Gh0st RAT `C:\Users\Administrator\AppData\Local\Temp\delself.bat` Script to self-delete the initial executable `C:\Windows\System32\wmkawe_3636071.data` Text file containing the sentence Stupid Japanese We have encountered other instances of this same text file, dropped by a very similar loader in a supply-chain compromise involving the Myanmar presidential office website in 2018, and in an intrusion into a Hong Kong university in 2020. [The deployed final payload was a variant of Gh0st RAT with keylogger capabilities.](https://attack.mitre.org/software/S0032/) _Figure 10. Anatomy of malicious update variant 2_ #### M li i U d t i t 3 ----- y p ``` AA3D31A1A6FE6888E4B455DADDA4755A6D42BEEB. ``` Similarly, as with the previous variant, this malicious update comes bundled in an MFC file, and extracts two components: a benign signed file and a dependency of it. The components are: Filename Description `C:\ProgramData\LoGiTech\LoGitech.exe` Signed Logitech binary `C:\ProgramData\LoGiTech\LBTServ.dll` Malicious DLL decrypts and reflectively loads an instance of PoisonIvy On the most recently discovered victims, the initial downloaded binary was written in Delphi, while for previous victims the same attacker-controlled URL dropped a binary written in C++. These binaries are the initial preliminary loaders. Although the loaders were written in different programming languages, both versions deployed the same final payload, that being an [instance of the PoisonIvy RAT.](https://attack.mitre.org/software/S0012/) _Figure 11. Anatomy of malicious update variant 3_ ### Conclusion [We have detected various supply-chain attacks in the last year, such as Operation SignSight or the compromise of Able](https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/) Desktop among others. However, the supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers. Supply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and its complexity may impact the discovery and mitigation of these type of incidents. _For any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com._ ### Acknowledgement ----- ### Files SHA-1 ESET detection name Decription `CA4276033A7CBDCCDE26105DEC911B215A1CE5CF` Win32/Agent.UOJ Malicious Update variant 1 `E45A5D9B03CFBE7EB2E90181756FDF0DD690C00C` Win32/GenKryptik.ENAT Malicious Update variant 2 `AA3D31A1A6FE6888E4B455DADDA4755A6D42BEEB` Win32/Kryptik.HHBQ Malicious Update variant 3 `5732126743640525680C1F9460E52D361ACF6BB0` Win32/Delf.UOD Malicious Update variant 3 ### C&C servers ``` 210.209.72[.]180 103.255.177[.]138 185.239.226[.]172 45.158.32[.]65 cdn.cloudistcdn[.]com q.cloudistcdn[.]com update.boshiamys[.]com Malicious update URLs http://cdn.cloudfronter[.]com/player/upgrade/ext/20201030/1/35e3797508c555d5f5e19f721cf94700.exe http://cdn.cloudfronter[.]com/player/upgrade/ext/20201101/1/bf571cb46afc144cab53bf940da88fe2.exe http://cdn.cloudfronter[.]com/player/upgrade/ext/20201123/1/2ca0a5f57ada25657552b384cf33c5ec.exe http://cdn.cloudfronter[.]com/player/upgrade/ext/20201225/7c21bb4e5c767da80ab1271d84cc026d.exe http://cdn.cloudfronter[.]com/player/upgrade/ext/20210119/842497c20072fc9b92f2b18e1d690103.exe https://cdn.cloudfronte[.]com/player/upgrade/ext/20201020/1/c697ad8c21ce7aca0a98e6bbd1b81dff.exe http://cdn.cloudfronte[.]com/player/upgrade/ext/20201030/1/35e3797508c555d5f5e19f721cf94700.exe http://res06.bignox[.]com/player/upgrade/202009/6c99c19d6da741af943a35016bb05b35.exe http://res06.bignox[.]com/player/upgrade/202009/42af40f99512443cbee03d090658da64.exe MITRE ATT&CK techniques ``` _[Note: This table was built using version 8 of the MITRE ATT&CK framework.](https://attack.mitre.org/resources/versions/)_ Tactic ID Name Description Supply Chain Compromise: Compromise Initial Access [T1195.002](https://attack.mitre.org/techniques/T1195/002/) Malware gets delivered via NoxPlayer updates. Software Supply Chain Malicious update variant 3 instances will be executed via Execution [T1053.005](https://attack.mitre.org/techniques/T1053/005/) Scheduled Task/Job: Scheduled Task Scheduled task. Malicious update variant 2 instances will be executed via service ----- Defense Evasion Malicious update variant 2 and 3 will be contained in "trident" [T1140](https://attack.mitre.org/techniques/T1140/) Deobfuscate/Decode Files or Information bundles for evasion purposes. Malicious updates shipped as "trident" bundles will perform DLL [T1574.002](https://attack.mitre.org/techniques/T1574/002/) Hijack Execution Flow: DLL Side-Loading side loading. Some of the final payloads such as PoisonIvy and Gh0st RAT Collection [T1056.001](https://attack.mitre.org/techniques/T1056/001/) Input Capture:Keylogging have keylogging capabilities. The PoisonIvy final payload variant has capabilities to [T1090.001](https://attack.mitre.org/techniques/T1090/001/) Proxy: Internal Proxy authenticate with proxies. Command and Control All malicious update instances communicate over raw TCP or [T1095](https://attack.mitre.org/techniques/T1095/) Non-Application Layer Protocol UDP. Both PosionIvy and Gh0st RAT use encrypted TCP [T1573](https://attack.mitre.org/techniques/T1573/) Encrypted Channel communication to avoid detection. Exfiltration in all malicious updates instances is done over a Exfiltration [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over C2 Channel Command and Control channel.  [Ignacio Sanmillan](https://www.welivesecurity.com/author/isanmillan/) 1 Feb 2021 - 11:30AM ###### Newsletter Email... Submit ###### Similar Articles [CYBERCRIME](https://www.welivesecurity.com/category/cybercrime/) [MALWARE](https://www.welivesecurity.com/category/malware/) [MALWARE](https://www.welivesecurity.com/category/malware/) [MALWARE](https://www.welivesecurity.com/category/malware/) [MALWARE](https://www.welivesecurity.com/category/malware/) [CYBERCRIME](https://www.welivesecurity.com/category/cybercrime/) Emotet botnet disrupted in global operation ###### Discussion [MALWARE](https://www.welivesecurity.com/category/malware/) Vadokrist: A wolf in sheep's clothing [MALWARE](https://www.welivesecurity.com/category/malware/) Operation Spalax: Targeted malware attacks in Colombia 7 ways malware can get into your device Home About Us Sitemap Our Experts Research How To RSS Configurator News Widget ----- [Privacy policy](https://www.welivesecurity.com/privacy/) [Legal Information](https://www.welivesecurity.com/legal-information/) Copyright © ESET, All Rights Reserved -----