ESET published an extensive report shedding light on a new sophisticated cyberespionage campaign orchestrated by a previously undisclosed China-aligned threat actor dubbed ‘Blackwood’.
The threat actor is believed to have been operating since at least 2018, using a sophisticated implant named “NSPX30” delivered via adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software. The targets included Chinese and Japanese companies, as well as individuals located in China, Japan, and the UK.
ESET researchers identified NSPX30 being delivered through compromised updates of popular Chinese applications, including Tencent QQ, Sogou Pinyin, and WPS Office.
The researchers said they first observed NSPX30 in 2020 while analyzing a surge in malware in China and were able to trace the evolution of the implant back to a small backdoor from 2005 dubbed “Project Wood”, designed to collect data from its victims.
“Interestingly, the Project Wood implant from 2005 appears to be the work of developers with experience in malware development, given the techniques implemented, leading us to believe that we are yet to discover more about the history of the primordial backdoor,” the experts noted.
NSPX30 is a multistage implant comprised of several components, including a dropper, an installer, loaders, an orchestrator, and a backdoor. Both of the latter two have their own sets of plugins.
NSPX30's capabilities include packet interception, allowing Blackwood operators to hide their infrastructure. Moreover, the implant can whitelist itself in various Chinese antimalware solutions, enabling it to operate undetected on compromised systems.
The researchers believe that Blackwood is also capable of concealing the location of its command-and-control (C2) servers by intercepting traffic generated by the implanted malware.
While the initial access method used by Blackwood remains unknown, ESET researchers speculate that the threat actors may deploy a network implant in victims' networks, possibly targeting vulnerable network devices such as routers or gateways.