A recent report from cybersecurity researchers at ESET has shed light on a disturbing trend in the world of cybercrime. The report reveals that Chinese hackers have been hijacking software updates to install malware, compromising user data, and building backdoors for future attacks. This poses a particularly concerning threat to cybersecurity, as it allows hackers to compromise a large user base at once, making software upgrades a luring target for malicious activities.
ESET found that the China-linked threat actor Blackwood has been behind a cyberattack since 2018. They use AitM attacks to deliver NSPX30 implants through software updates by targeting Chinese and Japanese entities. Blackwood hides the C2 server location by intercepting NSPX30-generated traffic. In 2020, China was hit by a surge of attacks from Evasive Panda, LuoYu, and LittleBear, leading security analysts to discover a new threat, NSPX30, that can be traced back to 2005.
The evolution starts with a 2005 backdoor, Project Wood, which was found via timestamps. Project Wood served as a codebase that led to DCM in 2008. Cybersecurity researchers at ESET found IP addresses linked to legitimate software firms in their telemetry. Millions of connections were registered, with downloads of genuine software components. However, no DNS redirection hints at intercepting unencrypted HTTP traffic for delivering the NSPX30 implant.
Orchestrator uses Baidu’s site to download backdoor, posing as Internet Explorer on Windows 98. Custom User-Agent and Request-URI reveal orchestrator and system info. While the backdoor initializes the UDP socket, facing complications with firewalls and NAT. Data exfiltration via DNS queries to Microsoft[.]com takes place and cleverly hides C&C location using AitM capability. Victims in Japan and the UK were targeted via the AitM system. Blackwood threat actors have been observed since 2005 and have been constantly evolving from Project Wood. The history of the primordial backdoor, Project Wood, hints at experienced malware developers.
These findings highlight the sophisticated and continuous efforts of hackers to exploit vulnerabilities in software updates to carry out malicious activities. The report also serves as a stark reminder of the evolving nature of cyber threats and the need for robust cybersecurity measures to combat them.
The implications of these findings are significant, as they demonstrate the need for heightened vigilance and security measures when it comes to software updates. As hackers continue to develop more sophisticated and targeted attacks, organizations and individuals must remain diligent in ensuring the security of their systems and data.
Overall, the report from ESET underscores the need for ongoing efforts to mitigate the risks associated with software updates and advance cybersecurity defenses to protect against malicious activities. It serves as a wake-up call for all stakeholders in the cybersecurity space to remain proactive and adaptable in the face of evolving cyber threats.