A research arm of an Internet security company has tracked down a strain of malware attacks from a cyberespionage group, the latest of which is believed to be a supply-chain attack against an Android emulator for personal computers (PCs) and Mac devices last February.
In its investigation of multiple campaigns attributed to the Gelsemium group since mid-2020, ESET Research found a new version of the group’s main malware, Gelsevirine, which the firm describes as complex and modular. The earliest version of the malware was traced back to 2014.
The research arm observed that the victims of Gelsemium’s campaigns are located in East Asia and the Middle East. In particular, the group targeted government institutions, religious organizations, electronics manufacturers, and universities.
This targeted nature of the group, ESET Research affirmed, further shows that the main intent of the Gelsemium’s operations is cyberespionage. Also, the group currently has managed to remain mostly under the radar.
Furthermore, ESET Research’s investigation also concludes that Gelsemium is behind the supply-chain attack against BigNox, a Hong Kong-based company that operates NoxPlayer, a free emulator which allows users to play Android games and apps on PC and Mac.
Previously reported by ESET Research as Operation NightScout, the attack was found to have compromised the update mechanism of NoxPlayer and so have potentially affected some of its over 150 million users.
“The update system was compromised, and so selected users received a malicious package instead of the regular NoxPlayer update,” Matthieu Faou, malware researcher at ESET Canada Recherche, said in a presentation of the research on Gelsemium during the ESET World conference last June 9.
The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. Victims originally compromised by the attack were later being compromised by Gelsemine.
Results from this investigation show that Gelsemium is an example of a stealthy cyberespionage group, Mr. Faou noted, and so ESET Research hopes that their report will help prevent further attacks.
The researcher added that organizations can prevent even quite complex threats like Gelsemium’s through routine, basic prevention measures, such as good patch management.
Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information. These components are the dropper Gelsemine, the loader Gelsenicine, and the main malware Gelsevirine.
Overview of the three components’ workflow
“Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand,” Thomas Dupuy, also a malware researcher at ESET Canada Recherche who co-authored the Gelsemium research analysis with Mr. Faou, explained in a statement.
The group’s name was derived from a possible translation the researchers found while reading a report from China-based network security products provider VenusTech. Gelsemium is a name of a genus of flowering plants with a species that contains toxic compounds, the names of which were chosen for the three components of the malware family.
ESET Research’s whitepaper for this investigation stated that the Gelsemium group used various entry points to deliver its malware, as indicated by several vectors. The first one, observed in 2014 and 2016, was spearphishing documents using exploits targeting a Microsoft Office vulnerability. The second one, mentioned in 2018, was the use of a watering hole as a vector of compromise where the operator used an intranet server to carry out the attack. The latest one, found last year, hinted that operators probably used an exploit targeting a vulnerability in the Microsoft Exchange Server.
More information about this research is available in ESET’s blog.