A previously unknown Chinese threat actor has been making waves in the cyber-espionage world since 2018, when they began using a novel backdoor in adversary-in-the-middle (AitM) attacks against Chinese and Japanese targets. ESET researchers have named this group “Blackwood,” and they have targeted a range of victims, including a large Chinese manufacturing and trading company, the Chinese office of a Japanese engineering and manufacturing company, individuals in China and Japan, and a Chinese-speaking person connected with a high-profile research university in the UK.
The reason that Blackwood has only recently been identified, more than six years since its earliest known activity, can be attributed to its ability to easily conceal malware in updates for popular software products like WPS Office. The malware itself, known as “NSPX30,” is a highly sophisticated espionage tool, which has allowed Blackwood to operate under the radar.
NSPX30 is the result of nearly two decades of research and development, following a long lineage of backdoors dating back to 2005, with various iterations used to target individuals and entities in Hong Kong, Taiwan, and mainland China. NSPX30 is a multifunctional tool capable of a wide range of espionage activities, including data theft, establishing a reverse shell, intercepting network traffic, and evading detection by Chinese antivirus tools.
The most intriguing aspect of Blackwood’s operation is their ability to inject their backdoor into legitimate software updates, which are downloaded from reputable corporate servers via unencrypted HTTP. This method bypasses typical cybersecurity measures and has been used to infect machines with NSPX30. The software products being targeted include WPS Office, QQ instant messaging service, and the Sogou Pinyin input method editor.
Organizations are advised to take proactive measures to defend against this threat, including ensuring that endpoint protection tools block NSPX30 and monitoring for malware detections related to legitimate software systems. Disabling IPv6 can also help thwart attack attempts. Additionally, a well-segmented network can help limit the impact of adversary-in-the-middle attacks.
With Blackwood’s use of evasive tactics and sophisticated malware, it is clear that they pose a significant threat to organizations and individuals in China and Japan. As researchers and cybersecurity professionals continue to study and respond to this threat, the hope is that more effective ways of combating Blackwood’s insidious activities will be identified.