Priya PatelTLDR:
– A Chinese advanced persistent threat (APT) group known as “Blackwood” has been conducting cyber-espionage attacks against Chinese and Japanese targets since 2018.
– One of their key tools is a backdoor called NSPX30, which has been active since 2018 and is highly sophisticated.
– Blackwood has been able to hide its activities for over half a decade due to its use of invisible adversary-in-the-middle (AitM) attacks and its ability to conceal malware in legitimate software updates.
An advanced persistent threat (APT) group, known as “Blackwood,” has been conducting cyber-espionage attacks against Chinese and Japanese targets since 2018, according to researchers at cybersecurity firm ESET.
Blackwood has been able to remain undetected for over half a decade due to its use of invisible adversary-in-the-middle (AitM) attacks and its ability to conceal malware in legitimate software updates, such as those for popular tools like WPS Office, QQ instant messaging service, and Sogou Pinyin input method editor.
The group’s key tool is a sophisticated backdoor called NSPX30, which has been active since 2018. NSPX30 is a multistaged, multifunctional tool that can steal information, intercept network traffic, and establish a reverse shell. Its capabilities include stealing data about the system or network, files and directories, credentials, keystrokes, screengrabs, audio, chats, and contact lists from popular messaging apps like WeChat, Telegram, Skype, and Tencent QQ.
Blackwood’s ability to conceal its command-and-control infrastructure has contributed to its long run without detection. It achieves this by injecting its backdoor into legitimate software updates when certain programs attempt to download updates from corporate servers via unencrypted HTTP.
To defend against this threat, organizations are advised to ensure their endpoint protection tools block NSPX30 and to pay attention to malware detections related to legitimate software systems. Monitoring and blocking AitM attacks, such as ARP poisoning, and disabling IPv6 to thwart an IPv6 SLAAC attack are also recommended.
