Connect with us

Hi, what are you looking for?

Top Stories

Editor's Pick

Malware attacked mobile game emulator, spied on institutions in Asia — ESET Research

A research arm of an Internet security company has tracked down a strain of malware attacks from a cyberespionage group, the latest of which is believed to be a supply-chain attack against an Android emulator for personal computers (PCs) and Mac devices last February.

In its investigation of multiple campaigns attributed to the Gelsemium group since mid-2020, ESET Research found a new version of the group’s main malware, Gelsevirine, which the firm describes as complex and modular. The earliest version of the malware was traced back to 2014.

The research arm observed that the victims of Gelsemium’s campaigns are located in East Asia and the Middle East. In particular, the group targeted government institutions, religious organizations, electronics manufacturers, and universities.

This targeted nature of the group, ESET Research affirmed, further shows that the main intent of the Gelsemium’s operations is cyberespionage. Also, the group currently has managed to remain mostly under the radar.

Furthermore, ESET Research’s investigation also concludes that Gelsemium is behind the supply-chain attack against BigNox, a Hong Kong-based company that operates NoxPlayer, a free emulator which allows users to play Android games and apps on PC and Mac.

Previously reported by ESET Research as Operation NightScout, the attack was found to have compromised the update mechanism of NoxPlayer and so have potentially affected some of its over 150 million users.

“The update system was compromised, and so selected users received a malicious package instead of the regular NoxPlayer update,” Matthieu Faou, malware researcher at ESET Canada Recherche, said in a presentation of the research on Gelsemium during the ESET World conference last June 9.

The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. Victims originally compromised by the attack were later being compromised by Gelsemine.

Results from this investigation show that Gelsemium is an example of a stealthy cyberespionage group, Mr. Faou noted, and so ESET Research hopes that their report will help prevent further attacks.

The researcher added that organizations can prevent even quite complex threats like Gelsemium’s through routine, basic prevention measures, such as good patch management.

Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information. These components are the dropper Gelsemine, the loader Gelsenicine, and the main malware Gelsevirine.

Overview of the three components’ workflow

“Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand,” Thomas Dupuy, also a malware researcher at ESET Canada Recherche who co-authored the Gelsemium research analysis with Mr. Faou, explained in a statement.

The group’s name was derived from a possible translation the researchers found while reading a report from China-based network security products provider VenusTech. Gelsemium is a name of a genus of flowering plants with a species that contains toxic compounds, the names of which were chosen for the three components of the malware family.

ESET Research’s whitepaper for this investigation stated that the Gelsemium group used various entry points to deliver its malware, as indicated by several vectors. The first one, observed in 2014 and 2016, was spearphishing documents using exploits targeting a Microsoft Office vulnerability. The second one, mentioned in 2018, was the use of a watering hole as a vector of compromise where the operator used an intranet server to carry out the attack. The latest one, found last year, hinted that operators probably used an exploit targeting a vulnerability in the Microsoft Exchange Server.

More information about this research is available in ESET’s blog.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Top News

Nikola, an electric truck startup, saw its stock price fly high as it went public and announced a deal with General Motors. A damning...


Stock Markets8 minutes ago (Jul 31, 2020 07:50PM ET) (C) Reuters. FILE PHOTO: James Murdoch, the son of media mogul Rupert Murdoch, and his...

Editor's Pick

TikTok is one of the most rapidly growing platform. People across all the spectrum of age, gender, communities are joining the platform to...

Top News

SEC probing Nikola Motors over short-seller claims of fraud – Business Insider Business Insider logoThe words “Business Insider”. 2020-09-14T23:20:04Z Massimo Pinca/Reuters The Securities and...

Disclaimer:, its managers, its employees, and assigns (collectively “The Company”) do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice.
The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2021 Secrets Of Richdads. All Rights Reserved.

    Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.

    Your information is secure and your privacy is protected. By opting in you agree to receive emails from us and our affiliates. Remember that you can opt-out any time, we hate spam too!