The company noted that the three components of Gelsemium are a dropper, a loader, and the main plugin: In their report, researchers at ESET said they have also uncovered some early versions of the group’s “complex and modular” backdoor Gelsevirine. The group is known for carrying out attacks against various establishments, including governments, religious organizations, electronics manufacturers, and universities, in the Middle East and Asia. Then i n 2018, VenusTech uncovered unknown malware samples linked the operation TooHash that later ESET determined to be early versions of Gelsemium malware. ![]() Two years later, new Gelsemium indicator of compromise showed up in a Verint Systems’ presentation at HITCON technical security conference. It was G DATAs SecurityLabs who first discovered several malicious tools used by the group during its 2014 investigation (Operation TooHash). However, ESET pointed out that the three malware strains deployed via malicious NoxPlayer updates had “ similarities ” to other malware strains used in a supply chain compromise of a presidential office in Myanmar in 2018 and early 2020 in a breach of a university in Hong Kong.Researchers at ESET has analyzed malware samples from various past campaigns and with medium confidence linked the Gelsemium cyberspy group to the NoxPlayer supply-chain attack in February 2021. It’s unclear whether NoxPlayer’s compromise is the work of a state-sponsored group or a financially motivated group seeking to put game developers at risk. The second is the case of the VGCA, the official certification body of the Vietnamese government.ĮSET researchers did not formally link this incident to any known hacking group. ![]() ![]() The first is the case of Able Desktop, software used by many Mongolian government agencies. This incident is also the third supply chain attack discovered by ESET in the past two months. To date, based on its own telemetry, ESET said NoxPlayer updates containing malware were delivered to just five victims in Taiwan, Hong Kong and Sri Lanka.ĮSET today released a report with technical details for NoxPlayers to determine if they have received a malware update and how to remove the malware.Ī BigNox spokesperson did not return a request for comment. “Three different malware families were distributed from tailor-made malicious updates to selected victims, with no sign of financial gain, but rather surveillance-related capabilities,” said ESET in a report shared today with ZDNet.ĭespite evidence that attackers had been able to access BigNox servers since at least September 2020, ESET said the threat actor was not targeting all users of the company, but instead specific machines, suggesting that this was a highly targeted attack that only a certain class of users. Using this access, hackers messed with the download URL of NoxPlayer updates in the API server to deliver malware to NoxPlayer users. ![]() The attack was discovered by Slovakian security company ESET on January 25 last week and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops.ĮSET says that based on evidence collected by its researchers, a threat actor is one of the company’s official APIs ( ) and file hosting servers ( ). A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and delivered malware to a handful of victims in Asia in a highly targeted supply chain attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |