Security News > 2021 > June > NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers
A new cyber espionage group named Gelsemium has been linked to a supply chain attack targeting the NoxPlayer Android emulator that was disclosed earlier this year.
"Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand."
Since its origins in the mid-2010s, Gelsemium has been found employing a variety of malware delivery techniques ranging from spear-phishing documents exploiting Microsoft Office vulnerabilities and watering holes to a remote code execution flaw in Microsoft Exchange Server - likely CVE-2020-0688, which was addressed by the Windows maker in June 2020 - to deploy the China Chopper web shell.
The adversary is said to have been behind a supply chain attack aimed at BigNox's NoxPlayer, in a campaign dubbed "Operation NightScout," in which the software's update mechanism was compromised to install backdoors such as Gh0st RAT and PoisonIvy RAT to spy on its victims, capture keystrokes, and gather valuable information.
"Victims originally compromised by that supply chain attack were later being compromised by Gelsemine," ESET researchers Thomas Dupuy and Matthieu Faou noted, with similarities observed between the trojanized versions of NoxPlayer and Gelsemium malware.
What's more, another backdoor called Chrommme, which was detected on an unnamed organization's machine also compromised by the Gelsemium group, used the same C2 server as that of Gelsevirine, raising the possibility that the threat actor may be sharing the attack infrastructure across its malware toolset.
News URL
Related news
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- Blue Yonder ransomware attack disrupts grocery store supply chain (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- OpenWrt orders router firmware updates after supply chain attack scare (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-11 | CVE-2020-0688 | Improper Authentication vulnerability in Microsoft Exchange Server A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. | 8.8 |