The Chinese hacker group “Blackwood” is spying on people and companies in the UK, China and Japan using a tool called NSPX30. The malware reaches the target devices via official app updates.
Cybercriminals are always finding ingenious ways to get valuable data. As ESET researchers have discovered, a previously unknown hacker group from China is hunting for data using a new tool called NSPX30. The special thing about it: Instead of infecting the user via malicious email attachments and websites, it reaches its target systems via official app updates. Since 2018, “Blackwood,” as the team led by ESET researcher Facundo Muñoz has called the group, has been spying on people and companies in the United Kingdom, China and Japan.
NSPX30 forwards screenshots and saved information
Once the malware is installed, it immediately begins collecting data and passing it on to those behind it. This includes screenshots, information stored on the device, and keystrokes. However, the exact attack pattern and how the group conceals its identity is still unknown:
“We do not know exactly how the attackers are able to deliver NSPX30 as malicious updates, as we have not yet discovered the tool that the criminals use to initially compromise their targets,” explains ESET researcher Facundo Muñoz, who runs NSPX30 and Blackwood discovered. “However, we suspect that the attackers are deploying the malware into their victims' networks by installing it on vulnerable network devices such as routers or gateways. This is supported by our experience with similar Chinese threat actors, as well as recent investigations into router implants attributed to another Chinese group, MustangPanda.”
Who are Blackwood's victims?
The new hacking group's targets include unidentified people in China and Japan and an unidentified Chinese-speaking person linked to the network of a prestigious public research university in the UK. A large production and trading company in China as well as branches of a Japanese production company based there have also found themselves in Blackwood's crosshairs.
As ESET researchers have observed, it is not easy for the people and organizations affected to finally fend off the attacks: the actors repeatedly try to compromise their victims' systems as soon as access is lost.
Blackwood Group uses persistent cyber implant
Blackwood is an Advanced Persistent Threat (APT) group funded by the Chinese state and has been active since at least 2018. Since then, it has conducted cyber espionage campaigns against Chinese and Japanese individuals and companies, primarily through cyber espionage. She prefers the Adversary-in-the-Middle (AitM) method: Cyber criminals interfere with the communication between the user and a legitimate service and can even use it to circumvent security mechanisms such as multi-factor authentication.
In its attacks, the Blackwood group used a tool with the cryptic name NSPX30. This is a so-called implant, i.e. malware that allows hackers extensive access to the systems of its victims. The basic version of this tool first appeared in 2005. This implant contains various features including a dropper, an installer, an orchestrator and a backdoor. The last two functions allow hackers to spy on applications such as Skype, Telegram and the messenger services Tencent QQ and WeChat, which are particularly popular in China. Two functions make the implant particularly sneaky:
- NSPX30 can infiltrate various Chinese anti-malware solutions to avoid detection
- The installation takes place via an official update: If you try to download applications such as the Tencent QQ messenger or the office apps Sogou Pinyin and WPS Office updates via an unencrypted connection, the implant installs itself at the same time. Victims don't even have to go to a compromised site or click a phishing link to become infected.
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.
Matching articles on the topic