Blackwood, APT group aligned with China, launches the NSPX30 implant


ESET researchers recently unveiled a highly sophisticated implant known as NSPX30, which has been linked to a newly identified advanced persistent threat (APT) group named Blackwood.

The findings, detailed in a post on the ESET blog on Wednesday, indicate that Blackwood has been actively engaged in cyberespionage since at least 2018.

From a technical perspective, the NSPX30 implant is delivered via adversary-in-the-middle (AitM) attacks, exploiting update requests for legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin.

Attackers use AitM techniques to hide the implant’s command and control (C2) servers by intercepting traffic, a method that has proven effective against Chinese and Japanese entities, as well as individuals in China, in Japan and the United Kingdom.

The evolution of the NSPX30 implant can be traced back to a small backdoor known as Project Wood, identified in 2005 and developed to collect data on victims. NSPX30, now a multi-stage implant, consists of components such as a dropper, installer, loaders, orchestrator and a backdoor with associated plugins.

In particular, it allows attackers to intercept packets, thus helping to hide their infrastructure. It can also whitelist itself in various Chinese anti-malware solutions.

Learn About Multi-Stage Malware: Windows Systems Targeted by Multi-Stage Malware Attack

Blackwood, the APT group responsible for NSPX30, demonstrated an increase in malicious activity in 2020, primarily targeting systems in China. The victims include unidentified individuals in China and Japan, an unidentified Chinese-speaking individual connected to the network of a top public research university in the United Kingdom, a large manufacturing and trading company in China, and the Chinese office of a Japanese engineering company. and manufacturing.

The implant is deployed when legitimate software attempts to download updates from servers using unencrypted HTTP protocols.

ESET telemetry revealed that the NSPX30 leverages the AitM capability to intercept packets, potentially via a network implant, effectively concealing the location of their C2 infrastructure.

“The 2005 Project Wood implant appears to be the work of developers experienced in malware development, given the techniques involved, leading us to believe we have yet to uncover more of the story of the all-important backdoor,” wrote ESET malware researcher Facundo. Munoz in the notice.

Leave a comment