Researchers at ESET discovered a supply-chain attack, dubbed NightScout, that was delivering malware using updates to the Android Gaming Emulator, NoxPlayer, made by the Hong Kong based company BigNox. At least three different malware strains were identified in the attack that was targeting specific gamers in Asia. The threat actor targeted the BigNox storage infrastructure to store malware and the BigNox API to deploy the payloads. The malware discovered in the attack campaign delivered three payloads: the Ghost Remote Access Trojan (RAT), Poison Ivy RAT, and a previously unknown malware variety. The threat actor used malicious updates to the NoxPlayer emulator to deliver the malware, except for Poison Ivy RAT, which was delivered as a second stage payload that came from the attacker’s own infrastructure.
The attackers had the ability to target anyone that uses the NoxPlayer emulator but decided to only infect five targets located in Taiwan, Hong Kong, and Sri Lanka. These attacks are highly targeted and are most likely being used for cyber-espionage. Anyone using the NoxPlayer emulator should not download any new updates of the system in case the threat actor decides to broaden their targets. Furthermore, it is advisable to uninstall any software from BigNox until the company has a chance to review their systems and resolve the intrusion.