HomeRisk ManagementsChina-aligned APT group Blackwood releases NSPX30 implant

China-aligned APT group Blackwood releases NSPX30 implant

Published on

spot_img

ESET researchers have made a significant discovery in the realm of cybersecurity, uncovering a highly sophisticated implant known as NSPX30. This implant has been linked to a newly identified Advanced Persistent Threat (APT) group named Blackwood. The findings of this discovery were detailed in a Wednesday publication on the ESET blog, shedding light on the cyber-espionage activities of the Blackwood group dating back to at least 2018.

From a technical standpoint, the NSPX30 implant is delivered through adversary-in-the-middle (AitM) attacks, exploiting update requests from legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin. This method has proven effective against Chinese and Japanese entities, as well as individuals in China, Japan, and the United Kingdom. The implant employs AitM techniques to hide its command-and-control (C2) servers by intercepting traffic, making it a potent tool for the Blackwood group in their cyber-espionage activities.

The evolution of the NSPX30 implant can be traced back to a small backdoor known as Project Wood, identified in 2005 and developed to collect data from victims. Over time, NSPX30 has evolved into a multistage implant, consisting of components like a dropper, installer, loaders, orchestrator, and a backdoor with associated plugins. This sophisticated tool enables the attackers to conduct packet interception and whitelist itself in various Chinese anti-malware solutions, further aiding in concealing their infrastructure.

In 2020, the Blackwood APT group demonstrated a surge in malicious activity, primarily targeting systems in China. Their victims include unidentified individuals in China and Japan, a Chinese-speaking individual connected to the network of a high-profile public research university in the UK, a large manufacturing and trading company in China, and the Chinese office of a Japanese corporation in engineering and manufacturing. The implant is deployed when legitimate software attempts to download updates from servers using unencrypted HTTP protocols.

ESET telemetry revealed that NSPX30 leverages the AitM capability to intercept packets, potentially through a network implant, effectively concealing the location of their C2 infrastructure. In a statement, ESET malware researcher Facundo Muñoz noted that the Project Wood implant from 2005 appears to be the work of developers with experience in malware development, suggesting that there is more to discover about the history of this primordial backdoor.

This significant discovery by ESET researchers highlights the ongoing threat posed by sophisticated APT groups like Blackwood and the advanced tools at their disposal. The NSPX30 implant serves as a stark reminder of the evolving nature of cyber threats and the need for continued vigilance and innovation in the field of cybersecurity. As researchers continue to delve into the intricacies of this implant and the activities of the Blackwood group, it is clear that staying ahead of these threats requires ongoing collaboration and a commitment to staying one step ahead of cybercriminals.

Source link

Latest articles

The Resounding Boom of Cybersecurity: Understanding the Ever-Expanding Industry

The cybersecurity industry is currently experiencing unprecedented growth and innovation due to a variety...

DVIDS News: AvengerCon VIII – Army Cyber’s Homegrown Hacker Con Makes a Comeback

of the big things we missed was being able to share our experiences among...

Troutman Pepper Establishes Incidents and Investigations Team

Troutman Pepper, a prominent law firm based in Orange County, Calif., and Richmond, Va.,...

Revenues Rebound in Dark Web Market as Sector Fragments

The dark web marketplace experienced a surge in revenue in 2023, with administrators and...

More like this

The Resounding Boom of Cybersecurity: Understanding the Ever-Expanding Industry

The cybersecurity industry is currently experiencing unprecedented growth and innovation due to a variety...

DVIDS News: AvengerCon VIII – Army Cyber’s Homegrown Hacker Con Makes a Comeback

of the big things we missed was being able to share our experiences among...

Troutman Pepper Establishes Incidents and Investigations Team

Troutman Pepper, a prominent law firm based in Orange County, Calif., and Richmond, Va.,...
en_USEnglish