In a recent analysis conducted by ESET researchers, a previously undisclosed threat actor group named Blackwood has been attributed to a sophisticated attack affecting Chinese and Japanese individuals and companies. The attack involves the delivery of a multistage implant called NSPX30 through adversary-in-the-middle (AitM) attacks which hijack update requests from legitimate software.
The NSPX30 implant was found to be deployed through the update mechanisms of legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin. This implant has been detected in targeted attacks against Chinese and Japanese companies and individuals, as well as against individuals located in China, Japan, and the United Kingdom. The implant is believed to have evolved from a small backdoor known as Project Wood, which dates back to 2005 and was designed to collect data from its victims.
NSPX30 itself is a multistage implant with several components, including a dropper, installer, loaders, orchestrator, and a backdoor, each with its own set of plugins. One of the most concerning aspects of this implant is its ability to conduct packet interception, allowing NSPX30 operators to hide their infrastructure. Furthermore, the implant is capable of allowlisting itself in several Chinese antimalware solutions, making it particularly difficult to detect and remove.
The Blackwood group responsible for this activity has been identified as a China-aligned APT group that has been active since at least 2018. They have demonstrated the capability to conduct adversary-in-the-middle attacks to deliver the NSPX30 implant through updates of legitimate software, as well as to hide the location of their command and control servers by intercepting traffic generated by the implant.
A surge of malicious activity was detected on targeted systems in China in 2020, leading to the discovery of the NSPX30 implant. The victims of these attacks include individuals located in China and Japan, as well as companies in China and the office of a Japanese corporation in the United Kingdom. Additionally, the attackers have been observed attempting to re-compromise systems if access is lost.
The NSPX30 implant was found to have evolved from a simple backdoor known as Project Wood, which was first compiled in 2005. The evolution of this implant was traced through several developments, ultimately leading to the creation of NSPX30. These findings are based on analysis of samples in the ESET collection and public documentation.
The Blackwood group’s use of the NSPX30 implant to conduct AitM attacks represents a significant advancement in their capabilities. Given the group’s ability to compromise legitimate software updates and hide their infrastructure, it is clear that they are a highly sophisticated threat actor. It is also evident that this group has been able to operate undetected for a significant period of time, highlighting the need for enhanced cybersecurity measures to protect against such threats.
ESET researchers have provided a detailed analysis of the evolution of the NSPX30 implant, tracing its origins back to the Project Wood backdoor from 2005. The technical aspects of this analysis provide valuable insights into the tactics, techniques, and procedures employed by the Blackwood group, shedding light on the complex nature of their cyberespionage operations. Overall, this research underscores the importance of ongoing vigilance and proactive measures to defend against increasingly advanced and persistent threats in the cybersecurity landscape.