A new threat actor known as Blackwood, aligned with China, has been identified in AitM attacks using the NSPX30 implant, as reported by Slovak cybersecurity firm ESET. The group has been active since at least 2018. NSPX30 is an advanced multistage implant deployed through the update mechanisms of well-known software, such as Tencent QQ and WPS Office. It targets Chinese and Japanese manufacturing, trading, and engineering companies, utilizing various components, including a backdoor, orchestrator, and loaders.
The NSPX30 implant facilitates packet interception, enabling operators to hide their infrastructure. It originates from a backdoor known as Project Wood, dating back to 2005, capable of bypassing Chinese anti-malware solutions. The recent NSPX30 version is delivered through compromised software updates using unencrypted HTTP, resulting in a system compromise. The orchestrator component, once executed, initiates a complex attack chain involving loaders and an installer library. The backdoor can perform activities like creating a reverse shell, capturing screenshots, logging keystrokes, and uninstalling itself.
ESET speculates that the dropper is delivered through compromised routers or network appliances, intercepting unencrypted HTTP traffic related to updates. The attackers are likely deploying a network implant in victims’ networks. The NSPX30 implant exhibits sophisticated evasion techniques, including an unusual User-Agent string masking its HTTP requests. The disclosure follows recent revelations of infrastructure linked to another Beijing-based cyber espionage group, Volt Typhoon, emphasizing the increasing sophistication and variety of cyber threats.
