A Chinese cyberespionage group targeting organizations and individuals in China and Japan has remained under the radar for roughly five years, cybersecurity firm ESET reports.
Tracked as Blackwood and active since at least 2018, the advanced persistent threat actor has been using adversary-in-the-middle attacks to deploy a sophisticated implant via the update mechanisms of legitimate software such as Sogou Pinyin, Tencent QQ, and WPS Office.
Blackwood attacks are characterized by the deployment of NSPX30, a sophisticated implant that includes a backdoor, a dropper, installers, loaders, and an orchestrator, and which can hide its command-and-control communication through packet interception.
NSPX30 has been used against a small number of victims, including individuals in China and Japan, a Chinese-speaking individual linked to a British research university, a manufacturing and trading business in China, and a Japanese engineering and manufacturing firm.
The NSPX30 implant, ESET says, appears to be the successor of a 2005 backdoor dubbed Project Wood that has served as a code base for various implants, including the 2008 DCM, from which NSPX30 is derived.
Public reporting shows that Project Wood was used in several attacks in the past, including a 2011 incident targeting a political figure from Hong Kong via spearphishing.
The malware featured a loader and a backdoor that could collect system and network details, log keystrokes, and take screenshots.
Malware derived from the backdoor and featuring capabilities seen in DCM was also used in a 2014 cyberespionage campaign dubbed TooHash, which ESET attributes to the Gelsemium APT. The same as DCM, NSPX30 relies on AitM attacks for delivery and can also allowlist itself in several Chinese antimalware solutions.
It has a different component configuration, with operations divided into two stages and DCM's code split into smaller components.
According to ESET, Blackwood likely deploys an implant on the victims' networks, possibly on vulnerable routers and gateways, and then uses it to intercept unencrypted HTTP traffic related to updates and deliver NSPX30's dropper instead. When launched, the backdoor creates a passive UDP listening socket with a port assigned by the operating system.
The same port is likely used both for listening for commands and for data exfiltration, with the network implant responsible for forwarding the packets.
This Cyber News was published on www.securityweek.com. Publication date: Fri, 26 Jan 2024 12:13:15 +0000