Since 2018, a previously unknown Chinese actor has used a new backdoor in Adversary-in-the-middle (AitM) cyber espionage attacks against Chinese and Japanese targets.
Specific victims of the group that ESET called “Blackwood” they include a large Chinese manufacturing and trading company, the China office of a Japanese engineering and manufacturing company, individuals in China and Japan, and a Chinese-speaking person linked to a high-profile research university in the UK.
The fact that Blackwood has only now been discovered, more than half a decade after its first known activity, can be attributed mainly to two things: its ability to hide malware in updates to popular software products such as WPS Office and the malware itself, a highly sophisticated spying tool called “NSPX30”.
Blackwood and NSPX30
The sophistication of the NSPX30, meanwhile, can be attributed to nearly two full decades of research and development.
According to analysts at ESET, NSPX30 comes from a long lineage of backdoors dating back to what they posthumously called “Project Wood”, apparently first compiled on January 9, 2005.
From Project Wood – which, at various times, was used to target a Hong Kong politician, and then targets in Taiwan, Hong Kong and southeast China – came further variants, including the 2008 DCM ( also known as “Dark Spectre”), which survived malicious campaigns until 2018.
NSPX30, developed that same year, represents the apogee of all cyber espionage that preceded it.
The multi-functional, multi-step tool consists of a dropper, DLL installer, loaders, orchestrator, and backdoor, with the latter two coming with their own sets of additional, swappable plugins.
The name of the game is information theft, be it system or network data, files and directories, credentials, keystrokes, screenshots, audio, chats and contact lists from the most popular messaging apps: WeChat, Telegram , Skype, Tencent QQ, etc. – and more.
Among other talents, NSPX30 can establish a reverse shell, add itself to whitelists in Chinese antivirus tools, and intercept network traffic. The latter capability allows Blackwood to effectively hide its command and control infrastructure, which may have contributed to its long period without detection.
A backdoor hidden in software updates
Blackwood’s greatest trick, however, also serves as his greatest mystery.
To infect machines with NSPX30, it does not use any of the typical tricks: phishing, infected web pages, etc. Instead, when some perfectly legitimate programs attempt to download updates from equally legitimate company servers via unencrypted HTTP, Blackwood somehow throws its own backdoor into the mix as well.
In other words, this is not a SolarWinds-style supply chain breach by one supplier. Instead, ESET speculates that Blackwood may use network facilities. Such implants could be stored in vulnerable edge devices in targeted networks, as is common among other Chinese APTs.
Software products used to popularize NSPX30 include WPS Office (a popular free alternative to Microsoft and Google’s office software suite), the QQ instant messaging service (developed by media giant Tencent), and the Sogou Pinyin input method editor (the Chinese market is the leading pinyin tool with hundreds of millions of users).