Attackers bypass antivirus programs and permanently gain a foothold in their victims systems.
The Slovak company ESET discovered the activities of a previously unknown group of hackers associated with China, and assigned it the code name Blackwood. The group has been active since 2018 and specializes in adversary-in-the-middle (AitM) attacks, which intercept requests to update legitimate software for delivering a complex NSPX30 implant.
The NSPX30 implant is found in the update mechanisms of well-known programs such as Tencent QQ, WPS Office, and Sogou Pinyin. The attacks targeted manufacturing, retail, and engineering companies, as well as individuals in China, Japan, and the United Kingdom.
The NSPX30 is a multi-stage implant that includes a dropper, installer, loader, orchestrator and backdoor, each with its own set of plugins, according to security researcher Facundo Munoz.
The implant is capable of intercepting data packets, which allows NSPX30 operators to hide their infrastructure. The backdoor is also able to bypass a whole host of antivirus solutions by adding itself to the whitelist.
The origin of the backdoor is related to another malware called Project Wood (2005), which was used to collect system and network information, record keystrokes, and create screenshots on infected systems.
NSPX30 is activated when attempts are made to download software updates from legitimate servers over the unencrypted HTTP protocol, which leads to system compromise and malicious DLL deployment.
A malicious dropper downloaded during the compromised update process creates several files on disk and runs "RsStub.exe" for activation "comx3.dll" using the Sideloading DLL method.
The NSPX30 orchestrator creates two threads for getting the backdoor and loading its plugins, and also adds exceptions to bypass Chinese antivirus solutions.
The backdoor is uploaded via an HTTP request to the site of the Chinese search engine Baidu, disguising the request as Internet Explorer on Windows 98. After that, the response from the server is saved in a file, from which the backdoor component is extracted and loaded.
NSPX30 also creates a passive UDP socket for receiving commands from the controller and exfiltrating data, probably intercepting DNS request packets to anonymize its C2 infrastructure.
Backdoor commands allow you to create a reverse shell, collect information about files, terminate certain processes, take screenshots, log keystrokes, and even delete yourself from an infected machine.
This discovery is an important reminder that cyber threats are constantly evolving and require continuous attention and improvement of defense mechanisms by organizations around the world, especially in the field of critical infrastructure.
The Slovak company ESET discovered the activities of a previously unknown group of hackers associated with China, and assigned it the code name Blackwood. The group has been active since 2018 and specializes in adversary-in-the-middle (AitM) attacks, which intercept requests to update legitimate software for delivering a complex NSPX30 implant.
The NSPX30 implant is found in the update mechanisms of well-known programs such as Tencent QQ, WPS Office, and Sogou Pinyin. The attacks targeted manufacturing, retail, and engineering companies, as well as individuals in China, Japan, and the United Kingdom.
The NSPX30 is a multi-stage implant that includes a dropper, installer, loader, orchestrator and backdoor, each with its own set of plugins, according to security researcher Facundo Munoz.
The implant is capable of intercepting data packets, which allows NSPX30 operators to hide their infrastructure. The backdoor is also able to bypass a whole host of antivirus solutions by adding itself to the whitelist.
The origin of the backdoor is related to another malware called Project Wood (2005), which was used to collect system and network information, record keystrokes, and create screenshots on infected systems.
NSPX30 is activated when attempts are made to download software updates from legitimate servers over the unencrypted HTTP protocol, which leads to system compromise and malicious DLL deployment.
A malicious dropper downloaded during the compromised update process creates several files on disk and runs "RsStub.exe" for activation "comx3.dll" using the Sideloading DLL method.
The NSPX30 orchestrator creates two threads for getting the backdoor and loading its plugins, and also adds exceptions to bypass Chinese antivirus solutions.
The backdoor is uploaded via an HTTP request to the site of the Chinese search engine Baidu, disguising the request as Internet Explorer on Windows 98. After that, the response from the server is saved in a file, from which the backdoor component is extracted and loaded.
NSPX30 also creates a passive UDP socket for receiving commands from the controller and exfiltrating data, probably intercepting DNS request packets to anonymize its C2 infrastructure.
Backdoor commands allow you to create a reverse shell, collect information about files, terminate certain processes, take screenshots, log keystrokes, and even delete yourself from an infected machine.
This discovery is an important reminder that cyber threats are constantly evolving and require continuous attention and improvement of defense mechanisms by organizations around the world, especially in the field of critical infrastructure.
