On January 26, 2021, ESET researchers released an analysis of an attack conducted by a previously undisclosed China-aligned threat actor known as Blackwood, which has apparently been active since at least 2018. Their attack involves the delivery of a sophisticated implant called NSPX30 through adversary-in-the-middle attacks, which hijack update requests from legitimate software.
The NSPX30 implant has been discovered being deployed through the update mechanisms of well-known software such as Tencent QQ, WPS Office, and Sogou Pinyin. This implant has been detected in targeted attacks against Chinese and Japanese companies, as well as against individuals located in China, Japan, and the United Kingdom.
ESET researchers were able to trace the evolution of NSPX30 back to a small backdoor from 2005 known as Project Wood, which was designed to collect data from its victims. NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor, with the latter two having their own sets of plugins. Additionally, the implant was designed around the attackers’ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure and allowlist itself in several Chinese antimalware solutions.
The newly identified APT group, Blackwood, has been found to be active since at least 2018, engaging in cyberespionage operations against Chinese and Japanese individuals and companies. They have the capability to conduct adversary-in-the-middle attacks to deliver the NSPX30 implant through updates of legitimate software, and to hide the location of its command and control servers by intercepting traffic generated by the implant.
In 2020, a surge of malicious activity was detected on a targeted system located in China, leading ESET researchers to start an investigation into an implant they named NSPX30, which was eventually traced back to the year 2005. The victims of these attacks include both individuals and companies located in China, Japan, and the United Kingdom.
The evolution of NSPX30 has been mapped back to an early ancestor – a simple backdoor known as Project Wood, compiled on January 9th, 2005. This backdoor was used to target a political figure from Hong Kong via spearphishing emails, according to a technical paper published by the SANS Institute in September 2011. Additionally, in October 2014, G DATA reported on a campaign named Operation TooHash, which has been attributed to the Gelsemium APT group and involved a variant of the Project Wood backdoor.
The NSPX30 implant has a different component configuration than its predecessor, DCM, as its operation is divided into two stages, relying fully on the attacker’s adversary-in-the-middle capability. NSPX30 has not been publicly documented prior to the ESET researchers’ findings. Machines are compromised when legitimate software attempts to download updates from legitimate servers using the unencrypted HTTP protocol.
In conclusion, ESET researchers have discovered a previously undisclosed China-aligned threat actor known as Blackwood, which has been active since at least 2018, engaging in cyberespionage operations against Chinese and Japanese individuals and companies. The attackers utilize sophisticated implant technology, such as NSPX30, delivered through hijacking update requests from legitimate software. This discovery provides important insights into the evolving landscape of cyber threats and emphasizes the importance of vigilance and proactive cybersecurity measures in the face of sophisticated attacks.