The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". The cookie is used to store the user consent for the cookies in the category "Analytics". This cookie is set by GDPR Cookie Consent plugin. These cookies ensure basic functionalities and security features of the website, anonymously. Necessary cookies are absolutely essential for the website to function properly. “Unfortunately, we did not observe links as strong as one campaign dropping or downloading a payload that belongs to the other campaign, but we conclude, with medium confidence, that Operation NightScout is related to the Gelsemium group.” Victims originally compromised by that supply-chain attack were later being compromised by Gelsemine,” ESET’s white paper reads. “The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. The investigation revealed that the attack was likely carried out by the Gelsemium group: Fortunately, this attack ( dubbed Operation NightScout ) only affected a few countries, such as Taiwan and Hong Kong.
#Group malware noxplayer android emulator update
The group abused the update mechanism of the NoxPlayer Android emulator for Windows and macOS to infect more than 150 million users. Researchers believe that Gelsemium was the group responsible for the NoxPlayer attack.
“Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand,” ESET researcher Thomas Dupuy added in a report recently published. Researchers say this attack structure is simple yet hard to analyze: The threat actor also used DNS names for servers for command-and-control servers to prevent infrastructure tracking. They’ve also been observed by VenusTech using watering holes on intranet servers in 2018.
“Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information: the dropper Gelsemine, the loader Gelsenicine, and the main plugin Gelsevirine,” ESET revealed.Īccording to G DATA and Verint Systems, t o deliver the malware, t he cyberspies exploited the CVE-2012-0158 Microsoft Office bug and spear-phishing emails. The company noted that the three components of Gelsemium are a dropper, a loader, and the main plugin: In their report, researchers at ESET said they have also uncovered some early versions of the group’s “complex and modular” backdoor Gelsevirine. The group is known for carrying out attacks against various establishments, including governments, religious organizations, electronics manufacturers, and universities, in the Middle East and Asia. Then i n 2018, VenusTech uncovered unknown malware samples linked the operation TooHash that later ESET determined to be early versions of Gelsemium malware. Two years later, new Gelsemium indicator of compromise showed up in a Verint Systems’ presentation at HITCON technical security conference. It was G DATAs SecurityLabs who first discovered several malicious tools used by the group during its 2014 investigation (Operation TooHash). Researchers at ESET has analyzed malware samples from various past campaigns and with medium confidence linked the Gelsemium cyberspy group to the NoxPlayer supply-chain attack in February 2021.
0 kommentar(er)
