Gelsemium APT may be behind the February hack of NoxPlayer Android emulator


The group specializes in cyber espionage and has been active since at least 2014.

ESET has released details on the mysterious Gelsemium APT group, which they believe may be involved in the supply chain attack that affected electronics manufacturers earlier this year.

We are talking about the February campaign, known as NightScout operation, the object of which was the mechanism for updating the popular application for NoxPlayer gamers. The program, developed by the Hong Kong company BigNox, is designed to run Android applications on computers running Windows and macOS operating systems. The number of emulator users worldwide exceeds 150 million people.

Operation NightScout only affected a small number of targets in Taiwan, Hong Kong and Sri Lanka, suggesting a narrow targeting of the attacks.

The group specializes in cyber espionage and has been active since at least 2014. APT’s primary targets are governments, faith-based organizations, electronics manufacturers, and universities in East Asia and the Middle East.

Analyzing Gelsemium campaigns, experts discovered early versions of a “complex modular” backdoor known as Gelsevirine. To collect information, the group uses several components, in particular, the Gelsemine dropper, the Gelsenicine loader and, in fact, Gelsevirine.

According to the observations of the researchers, the attack vectors of the grouping include phishing emails with a malicious attachment in the form of a Microsoft Office document that exploits the vulnerability CVE-2012-0158 , which allows remote code execution.

Gelsemium also carries out watering hole attacks, exploits to inject a web shell into vulnerable Microsoft Exchange servers, and uses Dynamic DNS (DDNS) domain names for management servers to make it harder to track infrastructure.

“The complete Gelsemium chain looks simple at first glance, but the sheer number of configurations implemented at each stage allows for on-the-fly customization of the delivery of the final payload, making it difficult to understand,” ESET said.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply