Summary:
Researchers have uncovered a sophisticated cyberespionage campaign conducted by a previously undisclosed China-aligned threat actor, named Blackwood. Operating since at least, Blackwood specializes in carrying out targeted attacks against Chinese and Japanese individuals and companies. The focal point of their strategy involves delivering a highly advanced implant, identified as NSPX30, through adversary-in-the-middle (AitM) attacks. Blackwood exploits update requests from legitimate software, such as Tencent QQ, WPS Office, and Sogou Pinyin, to deploy NSPX30, demonstrating a capability to hijack software update mechanisms for covert infiltration. Research on the technical intricacies of the NSPX30 implant and its evolution, along with the broader tactics employed by the Blackwood APT group.[/subscribe_to_unlock_form]
Summary:
Researchers have uncovered a sophisticated cyberespionage campaign conducted by a previously undisclosed China-aligned threat actor, named Blackwood. Operating since at least, Blackwood specializes in carrying out targeted attacks against Chinese and Japanese individuals and companies. The focal point of their strategy involves delivering a highly advanced implant, identified as NSPX30, through adversary-in-the-middle (AitM) attacks. Blackwood exploits update requests from legitimate software, such as Tencent QQ, WPS Office, and Sogou Pinyin, to deploy NSPX30, demonstrating a capability to hijack software update mechanisms for covert infiltration. Research on the technical intricacies of the NSPX30 implant and its evolution, along with the broader tactics employed by the Blackwood APT group.[emaillocker id="1283"]
The NSPX30 implant is a complex tool with various components, including a dropper, installer, loaders, orchestrator, and a backdoor. This APT group has demonstrated a profound understanding of network interception, allowing them to hijack update requests from legitimate software, enabling the delivery of the NSPX30 implant. Notably, the implant was observed in targeted attacks against Chinese and Japanese entities, as well as individuals in China, Japan, and the United Kingdom. The researchers traced the evolution of NSPX30 back to a small backdoor named Project Wood, emphasizing the longevity and continuous development of Blackwood's cyber capabilities. The implant's delivery method involves compromising systems when legitimate software attempts to download updates from legitimate servers using unencrypted HTTP. Notably, NSPX30 is distributed through popular Chinese software updates like Tencent QQ, Sogou Pinyin, and WPS Office. The attackers remain elusive by intercepting unencrypted HTTP traffic related to updates, suggesting the deployment of a network implant in victims' networks, possibly on vulnerable network appliances like routers or gateways.
The timeline of NSPX30's evolution traces back to Project Wood, a small backdoor. Blackwood's cyberespionage campaign underscores the group's extensive capabilities in conducting AitM attacks and hiding their C&C infrastructure. The use of legitimate software update mechanisms as a delivery vector and the implant's ability to evade detection by antimalware solutions highlight the group's sophisticated tactics. As the threat landscape continues to evolve, organizations and individuals must remain vigilant, employing advanced security measures to detect and mitigate such targeted attacks. The historical analysis of Project Wood suggests that further research may unveil additional facets of this threat actor's capabilities and tactics.
Threat Profile:
References:
The following reports contain further technical details:
https://thehackernews.com/2024/01/china-backed-hackers-hijack-software.html
[/emaillocker]