Blackwood Hackers Use AitM to Hijack WPS Office Update and Install NSPX30 Malware

Written by Gabby Lee

January 26, 2024

Blackwood Hackers Use AitM to Hijack WPS Office Update and Install NSPX30 Malware

The ‘Blackwood hackers’ have been engaging in cyberespionage attacks since 2018 and employs a highly sophisticated malware called NSPX30.

Interestingly, the NSPX30 malware is built upon an older backdoor code from 2005, suggesting that the adversary has evolved their tactics over time. These attacks often involve adversary-in-the-middle (AitM) techniques.

Blackwood Hackers and the NSPX30 Implant

In a recent campaign, cybersecurity firm ESET researchers made a significant discovery regarding Blackwood and the NSPX30 implant.

They believe that the activities of this group align with the interests of the Chinese state. Blackwood primarily targets entities in China, Japan, and the United Kingdom. Notably, the malware is delivered through the update mechanisms of legitimate software such as WPS Office, Tencent QQ instant messaging platform, and Sogou Pinyin document editor.

Based on the research conducted by ESET, the threat actor known as Blackwood employs adversary-in-the-middle (AitM) attacks to intercept and manipulate the traffic generated by NSPX30.

This technique allows them to conceal their activities and obscure the command and control (C2) servers. ESET further highlights that Blackwood may potentially collaborate with other Chinese APT groups.

This suspicion arises from their observation of multiple actors, such as Evasive Panda, LuoYu, and LittleBear, targeting the same company using different toolkits.

The NSPX30 Malware Origin and Evolution

The NSPX30 implant is an advanced malware that traces its origins back to a 2005 backdoor called ‘Project Wood’.

This earlier version of the malware had basic functionalities like system data collection, keylogging, and capturing screenshots. Notably, ‘Project Wood’ also gave rise to other implants, one of which is DCM (Dark Specter). DCM was first detected in 2008 and featured several functional enhancements compared to its predecessor.

Technical Details of NSPX30 Malware

According to ESET, there is a speculation that NSPX30 is an evolution of DCM, and the first documented sample of NSPX30 dates back to 2018.

Unlike its predecessors, NSPX30 stands out due to its sophisticated multistage architecture. This architecture consists of various components, including a dropper, a DLL installer with advanced User Account Control (UAC) bypass capabilities, a loader, an orchestrator, and a backdoor. Each component is equipped with its own set of plugins, further enhancing the malware’s capabilities.

The NSPX30 malware showcases remarkable technical sophistication, employing various techniques to operate discreetly. It includes packet interception capabilities to conceal its infrastructure effectively. Additionally, NSPX30 utilizes mechanisms that enable it to be added to allowlists of Chinese anti-malware tools, allowing it to avoid detection.

The main purpose of NSPX30 is to gather information from compromised systems. This includes collecting files, capturing screenshots, logging keystrokes, obtaining hardware and network data, and acquiring credentials.

In addition, the NSPX30 backdoor has the capability to pilfer chat logs and contact lists from various messaging platforms, including Tencent QQ, WeChat, Telegram, Skype, CloudChat, RaidCall, YY, and AliWangWang.

Moreover, the backdoor has the ability to terminate processes using their process IDs (PIDs), establish a reverse shell connection, move files to specific locations, or even uninstall itself from the compromised system. These functionalities provide the threat actor with extensive control over the infected system.

NSPX30 Malware Uses AitM Attacks to Intercept Communications  

One notable aspect of Blackwood’s operations is their method of delivering the NSPX30 malware. Rather than conducting a typical supply-chain compromise, Blackwood hackers intercepts unencrypted HTTP communications between the victim’s system and the legitimate software’s update server.

By intervening in this communication, they are able to deliver the NSPX30 implant instead of the legitimate update requested by the user. This approach allows them to bypass traditional security measures and carry out their malicious activities.

The precise method employed by Blackwood to intercept the traffic remains unknown. ESET speculates that they may achieve this by deploying an implant within the networks of their targets, potentially exploiting vulnerabilities in routers or gateways.

Based on ESET’s analysis, it appears that the original backdoor that served as the foundation for the development of the NSPX30 custom implant was created by highly skilled malware developers.

ESET’s report offers comprehensive technical insights into the workings of the malware and provides a list of indicators of compromise, empowering defenders to safeguard their environments.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!