China-Aligned APT Group Blackwood Unleashes NSPX30 Implant

Written by

ESET researchers have recently unveiled a highly sophisticated implant known as NSPX30, which has been linked to a newly identified Advanced Persistent Threat (APT) group named Blackwood.

The findings, detailed in a Wednesday publication on the ESET blog, indicate that Blackwood has been actively engaged in cyber-espionage since at least 2018.

From a technical standpoint, the NSPX30 implant is delivered through adversary-in-the-middle (AitM) attacks, exploiting update requests from legitimate software such as Tencent QQ, WPS Office and Sogou Pinyin. 

The attackers employ AitM techniques to hide the implant’s command-and-control (C2) servers by intercepting traffic, a method that proved effective against Chinese and Japanese entities, as well as individuals in China, Japan and the United Kingdom.

The evolution of the NSPX30 implant can be traced back to a small backdoor known as Project Wood, which was identified in 2005 and developed to collect data from victims. NSPX30, now a multistage implant, consists of components like a dropper, installer, loaders, orchestrator and a backdoor with associated plugins. 

Notably, it enables the attackers to conduct packet interception, aiding in concealing their infrastructure. It can also whitelist itself in various Chinese anti-malware solutions.

Read more on multistage malware: Windows Systems Targeted in Multi-Stage Malware Attack

Blackwood, the APT group responsible for NSPX30, demonstrated a surge in malicious activity in 2020, mainly targeting systems in China. Victims include unidentified individuals in China and Japan, an unidentified Chinese-speaking individual connected to the network of a high-profile public research university in the UK, a large manufacturing and trading company in China, and the Chinese office of a Japanese corporation in engineering and manufacturing.

The implant is deployed when legitimate software attempts to download updates from servers using unencrypted HTTP protocols. 

ESET telemetry revealed that NSPX30 leverages the AitM capability to intercept packets, potentially through a network implant, effectively concealing the location of their C2 infrastructure.

“The Project Wood implant from 2005 appears to be the work of developers with experience in malware development, given the techniques implemented, leading us to believe that we are yet to discover more about the history of the primordial backdoor,” wrote ESET malware researcher Facundo Muñoz in the advisory.

What’s hot on Infosecurity Magazine?