New supply chain attack uses poisoned updates to infect gamers’ computers | Ars Technica Skip to main content Biz & IT Tech Science Policy Cars Gaming & Culture Store Forums Subscribe Close Navigate Store Subscribe Videos Features Reviews RSS Feeds Mobile Site About Ars Staff Directory Contact Us Advertise with Ars Reprints Filter by topic Biz & IT Tech Science Policy Cars Gaming & Culture Store Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! Stay logged in | Having trouble? Sign up to comment and more Sign up BEWARE OF MALICIOUS UPDATES — New supply chain attack uses poisoned updates to infect gamers’ computers If you've used NoxPlayer in the past 5 months, it's time to check for malware. Dan Goodin - Feb 1, 2021 8:41 pm UTC Enlarge / Circuit board with speed motion and light. Getty Images reader comments 50 with 39 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit Update 2/3/2021: ESET has updated its post to report that BigNox's initial denial of the compromise was a misunderstanding on its part and that it has since taken these steps to improve security for their users. ESET said it assumes no responsibility for the accuracy of the information provided by BigNox. Researchers have uncovered a software supply chain attack that is being used to install surveillance malware on the computers of online gamers. The unknown attackers are targeting select users of NoxPlayer, a software package that emulates the Android operating system on PCs and Macs. People use it primarily for playing mobile Android games on these platforms. NoxPlayer-maker BigNox says the software has 150 million users in 150 countries. Poisoning the well Security firm Eset said on Monday that the BigNox software distribution system was hacked and used to deliver malicious updates to select users. The initial updates were delivered last September through the manipulation of two files: the main BigNox binary Nox.exe and NoxPack.exe, which downloads the update itself. “We have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) was compromised to host malware, and also to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised,” Eset malware researcher Ignacio Sanmillan wrote. “In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. This suggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers.” In a nutshell, the attack works this way: on launch, Nox.exe sends a request to a programming interface to query update information. The BigNox API server responds with update information that includes a URL where the legitimate update is supposed to be available. Eset speculates that the legitimate update may have been replaced with malware or, alternatively, a new filename or URL was introduced. Malware is then installed on the target’s machine. The malicious files aren’t digitally signed the way legitimate updates are. That suggests the BigNox software build system isn’t compromised; only the systems for delivering updates are. The malware performs limited reconnaissance on the targeted computer. The attackers further tailor the malicious updates to specific targets of interest. Advertisement The BigNox API server responds to a specific target with update information that points to the location of the malicious update on an attacker-controlled server. The intrusion flow observed is depicted below. Enlarge Eset Eset malware researcher Sanmillan added: Legitimate BigNox infrastructure was delivering malware for specific updates. We observed that these malicious updates were only taking place in September 2020. Furthermore, we observed that for specific victims, malicious updates were downloaded from attacker-controlled infrastructure subsequently and throughout the end of 2020 and early 2021. We are highly confident that these additional updates were performed by Nox.exe supplying specific parameters to NoxPack.exe, suggesting that the BigNox API mechanism may have also been compromised to deliver tailored malicious updates. It could also suggest the possibility that victims were subjected to a MitM attack, although we believe this hypothesis is unlikely since the victims we discovered are in different countries, and attackers already had a foothold on the BigNox infrastructure. Furthermore, we were able to reproduce the download of the malware samples hosted on res06.bignox.com from a test machine and using https. This discards the possibility that a MitM attack was used to tamper the update binary. Eset has observed three different malware variants being installed. There’s no sign of any of the malware trying to make financial gains on behalf of the attackers. That led the security company to believe the malware is being used to surveil targets. Sanmillan said that of more than 100,000 Eset users who have NoxPlayer installed, only five of them received a malicious update. The numbers underscore just how targeted the attacks are. Targets are located in Taiwan, Hong Kong, and Sri Lanka. Sanmillan said that Eset contacted BigNox with the findings and the software maker denied being affected. BigNox representatives didn’t respond to email seeking comment for this post. Anyone who has used NoxPlayer over the past five months should take time to carefully inspect their systems for signs of compromise. Monday’s post provides a list of files and settings that will indicate when a computer has received a malicious update. While the Eset post refers only to the Windows version of the software, there’s currently no way to rule out the possibility that macOS users were targeted, too. reader comments 50 with 39 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. Channel Ars Technica ← Previous story Next story → Related Stories Sponsored Stories Powered by Today on Ars Store Subscribe About Us RSS Feeds View Mobile Site Contact Us Staff Advertise with us Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2021 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices