For approximately five years, a covert Chinese cyberespionage group has quietly targeted organizations and individuals in China and Japan, remaining undetected by cybersecurity experts and law enforcement agencies. This article sheds light on the sophisticated tactics employed by this group, including their utilization of adversary-in-the-middle (AitM) attacks to deploy a powerful implant through legitimate software update mechanisms.
Adversary-in-the-Middle Attacks and Deployment Method
This Chinese cyberespionage group, known as Blackwood, has distinguished itself by employing AitM attacks as the primary method for launching their operations. By exploiting vulnerabilities in the update mechanisms of legitimate software, they infiltrate networks and silently deploy their sophisticated implant, called NSPX30.
Blackwood Attacks and NSPX30 Implant
At the heart of Blackwood’s operations is the deployment of their powerful implant, NSPX30. This complex implant consists of a backdoor, dropper, installer, loader, and an orchestrator. Each component works in tandem to provide the cybercriminals with extensive control and capabilities within the compromised systems.
Previous Victims of NSPX30
Blackwood has selectively targeted a small number of victims thus far, focusing on individuals in China and Japan. Notable victims include a Chinese-speaking individual connected to a prestigious British research university and a Japanese engineering and manufacturing firm. These targets suggest the group’s interest in acquiring sensitive information related to academia and advanced technology.
NSPX30 as the Successor of Project Wood
NSPX30, the sophisticated implant utilized by Blackwood, is believed to be an evolution of a notorious 2005 backdoor known as Project Wood. Over the years, Project Wood has served as an essential code base for various implants, making it a foundational element of the Blackwood group’s malware arsenal.
Past incidents involving Project Wood
Public reports indicate that Project Wood has been used in several significant cyber espionage attacks. Notably, in 2011, it was employed to target a prominent political figure from Hong Kong using a spear phishing technique. This incident underscores the group’s expertise in orchestrating targeted attacks.
Connection to the Gelsemium APT and the TooHash Campaign
Furthermore, malware derived from Project Wood, featuring similar capabilities found in the NSPX30 implant, was used in the infamous 2014 cyberespionage campaign known as TooHash. Renowned cybersecurity company ESET attributes the TooHash campaign to the Gelsemium APT, potentially suggesting overlaps or collaboration between Blackwood and Gelsemium.
The Blackwood group employs a cunning deployment mechanism for their implant. By targeting vulnerable routers and gateways, they gain initial access to victims’ networks and subsequently install the NSPX30 implant. This method allows them to intercept unencrypted HTTP traffic related to software updates and surreptitiously deliver the NSPX30 dropper, evading detection.
Functionality of the NSPX30 Backdoor
The backdoor of the NSPX30 implant is a critical element that enables Blackwood’s extensive control over compromised systems. It utilizes a passive UDP listening socket, allowing it to wait for commands from the group’s operators and facilitate the exfiltration of valuable data. The use of this covert communication channel enhances the implant’s stealthy nature.
The successful deployment and exfiltration mechanism exhibited by Blackwood’s AitM system demonstrates its operational effectiveness. The attackers skillfully deploy the NSPX30 backdoor on victim networks, enabling them to send commands and download additional plugins. This seamless process facilitates ongoing surveillance and the extraction of sensitive information for prolonged periods.
Blackwood’s ability to operate stealthily for such an extended period highlights the group’s sophistication and determination. Their utilization of APT attacks and the deployment of the powerful NSPX30 implant demonstrates their advanced capabilities and understanding of complex cyber operations. As cybersecurity professionals continue to investigate and address these threats, organizations must remain vigilant, invest in robust security measures, and stay updated on evolving attack methods to mitigate the risks posed by such cyber espionage groups.