A Chinese cyberespionage group targeting organizations and individuals in China and Japan has remained under the radar for roughly five years, cybersecurity firm ESET reports.
Tracked as Blackwood and active since at least 2018, the advanced persistent threat (APT) actor has been using adversary-in-the-middle (AitM) attacks to deploy a sophisticated implant via the update mechanisms of legitimate software such as Sogou Pinyin, Tencent QQ, and WPS Office.
Blackwood attacks are characterized by the deployment of NSPX30, a sophisticated implant that includes a backdoor, a dropper, installers, loaders, and an orchestrator, and which can hide its command-and-control (C&C) communication through packet interception.
NSPX30 has been used against a small number of victims, including individuals in China and Japan, a Chinese-speaking individual linked to a British research university, a manufacturing and trading business in China, and a Japanese engineering and manufacturing firm.
The NSPX30 implant, ESET says, appears to be the successor of a 2005 backdoor dubbed Project Wood that has served as a code base for various implants, including the 2008 DCM (aka Dark Specter), from which NSPX30 is derived.
Public reporting shows that Project Wood was used in several attacks in the past, including a 2011 incident targeting a political figure from Hong Kong via spearphishing. The malware featured a loader and a backdoor that could collect system and network details, log keystrokes, and take screenshots.
Malware derived from the backdoor and featuring capabilities seen in DCM was also used in a 2014 cyberespionage campaign dubbed TooHash, which ESET attributes to the Gelsemium APT.
The same as DCM, NSPX30 relies on AitM attacks for delivery and can also allowlist itself in several Chinese antimalware solutions. However, it has a different component configuration, with operations divided into two stages and DCM’s code split into smaller components.
According to ESET, Blackwood likely deploys an implant on the victims’ networks, possibly on vulnerable routers and gateways, and then uses it to intercept unencrypted HTTP traffic related to updates and deliver NSPX30’s dropper instead.
When launched, the backdoor creates a passive UDP listening socket with a port assigned by the operating system. The same port is likely used both for listening for commands and for data exfiltration, with the network implant responsible for forwarding the packets.
“We have observed victims located outside of China – that is, in Japan and the United Kingdom – against whom the orchestrator was able to deploy the backdoor. The attackers then sent commands to the backdoor to download plugins; for example, the victim from the UK received two plugins designed to collect information and chats from Tencent QQ. Therefore, we know that the AitM system was in place and working, and we must assume that the exfiltration mechanism was as well,” ESET notes.