ESET researchers have linked a sneaky cyber espionage group known as Gelsemium to the attack on the supply chain of the Android emulator NoxPlayer that targeted gamers earlier this year.
The hacking group’s activity dates back to 2014 when some of its malicious tools were discovered by G DATA SecurityLabs while investigating a targeted cyber espionage campaign (called Operation TooHash) with spear-phishing technology.
Two years later, in 2016, new Gelsemium indicators of compromise appeared on a Verint Systems presentation at HITCON.
In 2018, VenusTech sleepless Malware samples from an unknown APT group linked to Operation TooHash, which ESET later discovered to be early versions of Gelsemium malware.
The group is known for targeting governments, faith-based organizations, electronics manufacturers and universities in East Asia and the Middle East, but has largely gone unnoticed.
Malware deployed using multiple attack vectors
ESET researchers today revealed that they also found early versions of the group’s “complex and modular” Gelsevirine backdoor while investigating various campaigns since mid-2020.
“Gelsemium uses three components and a plug-in system to provide operators with a range of information gathering capabilities: the Gelsemine dropper, the Gelsenicine charger, and the Gelsevirine core plug-in,” ESET revealed.
According to reports from G DATA and Verint Systems, cyber spies used phishing emails with attached documents that exploited the Microsoft Office vulnerability CVE-2012-0158 to deliver the malware.
VenusTech also observed them using troughs configured on intranet servers in 2018, while ESET detected them using a RCE exploit for pre-authentication against vulnerable Exchange servers to implement web shells.
Their list of tactics also includes the use of dynamic DNS (DDNS) domain names for command and control servers to make it difficult to track the infrastructure since they don’t come with a list of newly created domains.
“The entire Gelsemium chain may seem simple at first glance, but the exhaustive number of configurations, implemented at each stage, can modify the configuration of the final payload on the fly, making it more difficult to understand,” he said. ESET researcher Thomas Dupuy. added in a report released today.
Linked to a supply chain attack targeting gamers
ESET researchers believe Gelsemium is the APT group that coordinated the supply chain attack that compromised and abused the Android emulator update NoxPlayer for Windows and macOS (with over 150 million users) to infect computer systems. players between September 2020 and January 2021..
Fortunately, this attack on the supply chain (dubbed Operation NightScout) only affected a limited set of targets from Taiwan, Hong Kong and Sri Lanka, indicating the highly specific nature of the operation.
This, in itself, makes Gelsemium’s attack on NoxPlayer stand out, as not many threat actors are targeting gamer community targets.
“The investigation uncovered some overlap between this supply chain attack and the Gelsemium group. The victims originally compromised by that supply chain attack were later compromised by Gelsemine.” The ESET white paper reads.
“Unfortunately, we did not see links as strong as that of one campaign dropping or unloading a payload that belongs to the other campaign, but we conclude, with medium confidence, that Operation NightScout is related to the Gelsemium group.”