Since 2018, a previously unknown Chinese threat actor has been using a novel backdoor in adversary-in-the-middle cyber-espionage attacks against Chinese and Japanese targets.
Blackwood and NSPX30 The sophistication of NSPX30 can be attributed to nearly two whole decades of research and development.
From Project Wood - which, at various points, was used to target a Hong Kong politician, and then targets in Taiwan, Hong Kong, and southeast China - came further variants, including 2008's DCM, which survived in malicious campaigns until 2018.
NSPX30, developed that same year, is the apogee of all cyber espionage that came before it.
The multistaged, multifunctional tool comprised of a dropper, a DLL installer, loaders, orchestrator, and backdoor, with the latter two coming with their own sets of additional, swappable plug-ins.
The name of the game is information theft, whether that be data about the system or network, files and directories, credentials, keystrokes, screengrabs, audio, chats, and contact lists from popular messaging apps - WeChat, Telegram, Skype, Tencent QQ, etc.
Among other talents, NSPX30 can establish a reverse shell, add itself to allowlists in Chinese antivirus tools, and intercept network traffic.
This latter capability allows Blackwood to effectively conceal its command-and-control infrastructure, which may have contributed to its long run without detection.
A Backdoor Hidden in Software Updates Blackwood's greatest trick of all also doubles as its greatest mystery.
To infect machines with NSPX30, it doesn't use any of the typical tricks: phishing, infected webpages, etc.
Instead, when certain perfectly legitimate programs attempt to download updates from equally legitimate corporate servers via unencrypted HTTP, Blackwood somehow also injects its backdoor into the mix.
In other words, this isn't a SolarWinds-style supply chain breach of a vendor.
Instead, ESET speculates that Blackwood may be using network implants.
Such implants might be stored in vulnerable edge devices in targeted networks, as is common among other Chinese APTs.
The software products being used to spread NSPX30 include WPS Office, the QQ instant messaging service, and the Sogou Pinyin input method editor.
Disabling IPv6 can help thwart an IPv6 SLAAC attack, he adds.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 26 Jan 2024 21:05:04 +0000