Researchers at ESET has analyzed malware samples from various past campaigns and with medium confidence linked the Gelsemium cyberspy group to the NoxPlayer supply-chain attack in February 2021.
It was G DATAs SecurityLabs who first discovered several malicious tools used by the group during its 2014 investigation (Operation TooHash). Two years later, new Gelsemium indicator of compromise showed up in a Verint Systems’ presentation at HITCON technical security conference. Then in 2018, VenusTech uncovered unknown malware samples linked the operation TooHash that later ESET determined to be early versions of Gelsemium malware.
The group is known for carrying out attacks against various establishments, including governments, religious organizations, electronics manufacturers, and universities, in the Middle East and Asia.
In their report, researchers at ESET said they have also uncovered some early versions of the group’s “complex and modular” backdoor Gelsevirine.
The company noted that the three components of Gelsemium are a dropper, a loader, and the main plugin:
“Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information: the dropper Gelsemine, the loader Gelsenicine, and the main plugin Gelsevirine,” ESET revealed.
According to G DATA and Verint Systems, to deliver the malware, the cyberspies exploited the CVE-2012-0158 Microsoft Office bug and spear-phishing emails. They’ve also been observed by VenusTech using watering holes on intranet servers in 2018. The threat actor also used DNS names for servers for command-and-control servers to prevent infrastructure tracking.
Researchers say this attack structure is simple yet hard to analyze:
“Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand,” ESET researcher Thomas Dupuy added in a report recently published.
Researchers believe that Gelsemium was the group responsible for the NoxPlayer attack. The group abused the update mechanism of the NoxPlayer Android emulator for Windows and macOS to infect more than 150 million users. Fortunately, this attack (dubbed Operation NightScout) only affected a few countries, such as Taiwan and Hong Kong.
The investigation revealed that the attack was likely carried out by the Gelsemium group:
“The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. Victims originally compromised by that supply-chain attack were later being compromised by Gelsemine,” ESET’s white paper reads.
“Unfortunately, we did not observe links as strong as one campaign dropping or downloading a payload that belongs to the other campaign, but we conclude, with medium confidence, that Operation NightScout is related to the Gelsemium group.”