A previously unknown advanced threat actor tracked as 'Blackwood' is using sophisticated malware called NSPX30 to carry out cyberespionage attacks against companies and individuals.
Attackers have been actively exploiting the NSPX30 malware since at least 2018, with a codebase rooted in a simple backdoor in 2005, following an adversary in between (AitM) attack.
Researchers at cybersecurity firm ESET discovered the Blackwood and NSPX30 implants at an event in 2020
Blackwood目标在哪
Blackwood's targets are concentrated in China, Japan, and the United Kingdom, spreading malware through updates to genuine software such as WPS Office (office suite), Tencent's QQ instant messaging platform, and Sogou Pinyin Document Editor.
The researchers say that the threat actors carry out an AitM attack and intercept the traffic generated by the NSPX30 in order to hide their activity and hide their Command and Control (C2) servers.
Origin and evolution of the NSPX30
The NSPX30 is a sophisticated implant based on a 2005 backdoor code called "Project Wood" that has the basic functionality of collecting system data, keylogging, and screenshots.
Other implants that have appeared in the Wood project include DCM (Dark Ghost), which first appeared in the wild in 2008 with several functional enhancements.
ESET believes that NSPX30 evolved from DCM, with the first known malware sample recorded in 2018.
Evolutionary timeline
Unlike previous versions, the NSPX30 features a multi-level architecture that includes components such as droppers, DLL installers with extensive UAC bypass, loaders, orchestrators, and backdoors, each with its own set of plug-ins.
The NSPX30 showcases significant technological advancements, with packet interception capabilities to hide its infrastructure, allowing it to operate secretly. It also has a mechanism to add it to the whitelist of Chinese anti-malware tools to evade detection.
The primary function of the NSPX30 is to collect information from the breached system, including files, screenshots, keystrokes, hardware and network data, and credentials.
The backdoor can also steal chat history and contact lists from Tencent's QQ, WeChat, Telegram, Skype, CloudChat, RaidCall, YY, and AliWangWangWang.
The backdoor also could terminate a process via a PID, create a reverse shell, move files to a specified path, or uninstall itself from the compromised system.
Execution chain
AitM attacks
A notable aspect of Blackwood's campaign is the ability to deliver NSPX30 by hijacking update requests made by legitimate software, including Tencent QQ, WPS Office, and Sogou Pinyin.
But this is not the same as a supply chain compromise, as Blackwood intercepts the unencrypted HTTP communication between the victim's system and the update server and intervenes to deliver the implant.
NSPX30 loading diagram
The exact mechanism by which Blackwood intercepted that traffic in the first place is unknown. ESET speculates that this is achieved by using an implant in the target network (possibly on a vulnerable device such as a router or gateway)
#Data Leakage##Idea Contest in the Comment Area##Seeing the Variety of Situations in the World##Sending Blessings in the Comment Area##Commenting on Evaluation##Cybersecurity##0day##Security Vulnerability##黑客#