Blackwood hackers hacked WPS Office update and installed malware

A previously unknown group of attackers called Blackwood is using sophisticated malware called NSPX30 to launch cyberspy attacks against companies and individuals.

Attackers have been active since at least 2018 using NSPX30 malware, a codebase implant based on a simple backdoor from 2005 following man-in-the-middle (AitM) attacks.

Cybersecurity company researchers discovered Blackwood and the NSPX30 implant during a campaign in 2020 and believe the group's activities are in line with Chinese national interests.

Blackwood's targets are China, Japan and the UK. The malware was delivered through update mechanisms for legitimate software such as WPS Office (office suite), Tencent instant messaging platform QQ, and Sogou Pinyin document editor.

According to researchers, Blackwood carries out AitM attacks and intercepts traffic generated by NSPX30 to hide its activities and hide its command and control (C2) servers.

Experts also note that Blackwood may be sharing access with other Chinese APT groups. Security researchers noticed that one company's system was attacked by toolkits associated with several actors, such as Evasive Panda, LuoYu and LittleBear.

Origin and evolution of NSPX30

NSPX30 was a sophisticated implant based on a 2005 backdoor code called "Project Wood" that had rudimentary capabilities for system data collection, keylogging, and screenshotting.

Other implants that emerged from Project Wood included DCM (Dark Specter), which first appeared online in 2008 and featured many functional improvements.

Experts believe that NSPX30 originated from DCM, and the first known malware sample was reported in 2018.

Unlike its predecessors, NSPX30 features a multi-tier architecture that includes components such as a dropper, a DLL installer with extensive UAC bypass capabilities, a downloader, an orchestrator, and a backdoor, each with its own set of plugins.

The NSPX30 demonstrates significant technical advancement with its packet sniffing capabilities to conceal its infrastructure, allowing it to operate covertly. It also has mechanisms that whitelist it from Chinese anti-malware tools to avoid detection.

The main function of the NSPX30 is to collect information from a compromised system, including files, screenshots, keystrokes, hardware and network data, and credentials.

The backdoor can also steal chat logs and contact lists from Tencent QQ, WeChat, Telegram, Skype, CloudChat, RaidCall, YY and AliWangWang.

The backdoor can also terminate processes based on PID, create a reverse shell, move files along specified paths, or remove itself from the infected system.

AitM attacks

A notable aspect of Blackwood's operation is its ability to deliver NSPX30 by intercepting update requests made by legitimate software, including Tencent QQ, WPS Office, and Sogou Pinyin.

However, this is different from a supply chain compromise because Blackwood intercepts the unencrypted HTTP communication between the victim's system and the update server and performs the necessary actions to deliver the implant.

The exact mechanism that allows Blackwood to intercept this traffic is unknown. Experts suggest this could be possible by using the implant on target networks, perhaps on vulnerable devices such as routers or gateways.

Based on their analysis, the researchers believe that the original backdoor behind the evolution of the custom NSPX30 implant appears to have been developed by sophisticated malware developers.

Mainton Company - custom software development and testing, DevOps and SRE, SEO and online advertising since 2004.