Security News > 2021 > June > NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers
A new cyber espionage group named Gelsemium has been linked to a supply chain attack targeting the NoxPlayer Android emulator that was disclosed earlier this year.
"Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand."
Since its origins in the mid-2010s, Gelsemium has been found employing a variety of malware delivery techniques ranging from spear-phishing documents exploiting Microsoft Office vulnerabilities and watering holes to a remote code execution flaw in Microsoft Exchange Server - likely CVE-2020-0688, which was addressed by the Windows maker in June 2020 - to deploy the China Chopper web shell.
The adversary is said to have been behind a supply chain attack aimed at BigNox's NoxPlayer, in a campaign dubbed "Operation NightScout," in which the software's update mechanism was compromised to install backdoors such as Gh0st RAT and PoisonIvy RAT to spy on its victims, capture keystrokes, and gather valuable information.
"Victims originally compromised by that supply chain attack were later being compromised by Gelsemine," ESET researchers Thomas Dupuy and Matthieu Faou noted, with similarities observed between the trojanized versions of NoxPlayer and Gelsemium malware.
What's more, another backdoor called Chrommme, which was detected on an unnamed organization's machine also compromised by the Gelsemium group, used the same C2 server as that of Gelsevirine, raising the possibility that the threat actor may be sharing the attack infrastructure across its malware toolset.
News URL
Related news
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-11 | CVE-2020-0688 | Improper Authentication vulnerability in Microsoft Exchange Server A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. | 8.8 |