A previously undocumented China-aligned threat actor has been linked to a series of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant called NSPX30.
Slovakian cybersecurity company ESET is monitoring the Advanced Persistent Threat (APT) group under this name Black wood. It is said to have been active since at least 2018.
The NSPX30 implant has been observed to be distributed via known software update mechanisms such as Tencent QQ, WPS Office, and Sogou Pinyin, with attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies, as well as individuals located in China, Japan, and the United Kingdom
“NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator and a backdoor,” said security researcher Facundo Muñoz. “Both of the latter two have their own sets of plugins.”
“The implant was designed around the ability of attackers to intercept packets, allowing NSPX30 operators to hide their infrastructure.”
The origins of the backdoor, which is also able to bypass several Chinese anti-malware solutions by whitelisting itself, can be traced to another malware from January 2005, codenamed Project Wood, designed to collect system and network information, record keystrokes and take screenshot information from victims’ systems.
Project Wood’s core code has formed the basis for several implants, including variants such as DCM (also known as Dark Spectre) in 2008, with the malware subsequently used in attacks against individuals of interest in Hong Kong and the Greater China area in 2012 and 2014.
NSPX30, the latest iteration of the implant, is delivered when attempts to download software updates from legitimate servers using the (unencrypted) HTTP protocol result in a system compromise, paving the way for the implementation of a DLL file dropper.
The malicious dropper used as part of the compromised update process creates several files on the disk and executes “RsStub.exe”, a binary file associated with Rising Antivirus software in order to launch “comx3.dll” by exploiting the fact that the former is susceptible to the DLL side loading.
“comx3.dll” functions as a loader to execute a third file named “comx3.dll.txt”, which is an installation library responsible for triggering the next stage attack chain that culminates in the execution of the orchestrator component (“WIN .cfg”).
It is currently unknown how threat actors deliver the dropper in the form of malicious updates, but Chinese threat actors such as BlackTech, Evasive Panda, Judgment Panda, and Mustang Panda have exploited compromised routers as a channel to distribute malware in the past.
ESET speculates that the attackers “are deploying a network implant into victim networks, possibly on vulnerable network devices such as routers or gateways.”
“The fact that we found no indications of traffic redirection via DNS could indicate that when the hypothesized network facility intercepts unencrypted HTTP traffic related to updates, it responds with the NSPX30 facility dropper in the form of a DLL, executable file, or ZIP archive containing the DLL.”
The orchestrator then proceeds to create two threads, one to get the backdoor (“msfmtkl.dat”) and another to load plugins and add exclusions to allow DLLs to be loaded to bypass Chinese anti-malware solutions.
The backdoor is downloaded via an HTTP request to Baidu’s website www.baidu[.]com, a legitimate Chinese search engine, with an unusual User-Agent string that masks the request as coming from the Internet Explorer browser on Windows 98.
The server response is then saved to a file from which the backdoor component is extracted and loaded into memory.
NSPX30, as part of its initialization phase, also creates a passive UDP listening socket to receive commands from the controller and extract data possibly by intercepting DNS query packets in order to anonymize its command and control (C2) infrastructure.
The instructions allow the backdoor to create a reverse shell, collect file information, kill specific processes, take screenshots, log keystrokes, and even uninstall itself from the infected machine.
The disclosure comes weeks after SecurityScorecard revealed new infrastructure connected to another Beijing-linked cyber espionage group known as Volt Typhoon (also known as Bronze Silhouette) exploiting a botnet created by exploiting known security flaws in Cisco RV320/325 routers at end of life (CVE -2019-1652 and CVE-2019-1653) operating in Europe, North America and Asia Pacific.
“About 30% of them (325 of 1,116 devices) were communicating with two IP addresses previously called proxy routers used for command and control (C2) communications, 174.138.56[.]21 and 159.203.113[.]25, in a thirty day period,” the company said.
“Volt Typhoon may aim to use these compromised devices to transfer stolen data or connect to the networks of targeted organizations.”