ESET researchers have made a significant discovery in the realm of cybersecurity, uncovering a highly sophisticated implant known as NSPX30. This implant has been linked to a newly identified Advanced Persistent Threat (APT) group named Blackwood. The findings of this discovery were detailed in a Wednesday publication on the ESET blog, shedding light on the cyber-espionage activities of the Blackwood group dating back to at least 2018.
From a technical standpoint, the NSPX30 implant is delivered through adversary-in-the-middle (AitM) attacks, exploiting update requests from legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin. This method has proven effective against Chinese and Japanese entities, as well as individuals in China, Japan, and the United Kingdom. The implant employs AitM techniques to hide its command-and-control (C2) servers by intercepting traffic, making it a potent tool for the Blackwood group in their cyber-espionage activities.
The evolution of the NSPX30 implant can be traced back to a small backdoor known as Project Wood, identified in 2005 and developed to collect data from victims. Over time, NSPX30 has evolved into a multistage implant, consisting of components like a dropper, installer, loaders, orchestrator, and a backdoor with associated plugins. This sophisticated tool enables the attackers to conduct packet interception and whitelist itself in various Chinese anti-malware solutions, further aiding in concealing their infrastructure.
In 2020, the Blackwood APT group demonstrated a surge in malicious activity, primarily targeting systems in China. Their victims include unidentified individuals in China and Japan, a Chinese-speaking individual connected to the network of a high-profile public research university in the UK, a large manufacturing and trading company in China, and the Chinese office of a Japanese corporation in engineering and manufacturing. The implant is deployed when legitimate software attempts to download updates from servers using unencrypted HTTP protocols.
ESET telemetry revealed that NSPX30 leverages the AitM capability to intercept packets, potentially through a network implant, effectively concealing the location of their C2 infrastructure. In a statement, ESET malware researcher Facundo Muñoz noted that the Project Wood implant from 2005 appears to be the work of developers with experience in malware development, suggesting that there is more to discover about the history of this primordial backdoor.
This significant discovery by ESET researchers highlights the ongoing threat posed by sophisticated APT groups like Blackwood and the advanced tools at their disposal. The NSPX30 implant serves as a stark reminder of the evolving nature of cyber threats and the need for continued vigilance and innovation in the field of cybersecurity. As researchers continue to delve into the intricacies of this implant and the activities of the Blackwood group, it is clear that staying ahead of these threats requires ongoing collaboration and a commitment to staying one step ahead of cybercriminals.