Newly ID'ed Chinese APT Hides Backdoor in Software Updates

The threat actor went more than half a decade before being discovered — thanks to a remarkable backdoor delivered in invisible adversary-in-the-middle attacks.

3 Min Read
Logo for WPS Office on a cellphone screen
Source: Imaginechina Limited via Alamy Stock Photo

Since 2018, a previously unknown Chinese threat actor has been using a novel backdoor in adversary-in-the-middle (AitM) cyber-espionage attacks against Chinese and Japanese targets.

Specific victims of the group that ESET has named "Blackwood" include a large Chinese manufacturing and trading company, the Chinese office of a Japanese engineering and manufacturing company, individuals in China and Japan, and a Chinese-speaking person connected with a high-profile research university in the UK.

That Blackwood is only being outed now, more than half a decade since its earliest known activity, can be attributed primarily to two things: its ability to effortlessly conceal malware in updates for popular software products like WPS Office, and the malware itself, a highly sophisticated espionage tool called "NSPX30."

Blackwood and NSPX30

The sophistication of NSPX30, meanwhile, can be attributed to nearly two whole decades of research and development.

According to ESET analysts, NSPX30 follows from a long lineage of backdoors dating back to what they've posthumously named "Project Wood," seemingly first compiled back on Jan. 9, 2005.

From Project Wood — which, at various points, was used to target a Hong Kong politician, and then targets in Taiwan, Hong Kong, and southeast China — came further variants, including 2008's DCM (aka "Dark Specter"), which survived in malicious campaigns until 2018.

NSPX30, developed that same year, is the apogee of all cyber espionage that came before it.

The multistaged, multifunctional tool comprised of a dropper, a DLL installer, loaders, orchestrator, and backdoor, with the latter two coming with their own sets of additional, swappable plug-ins.

The name of the game is information theft, whether that be data about the system or network, files and directories, credentials, keystrokes, screengrabs, audio, chats, and contact lists from popular messaging apps — WeChat, Telegram, Skype, Tencent QQ, etc. — and more.

Among other talents, NSPX30 can establish a reverse shell, add itself to allowlists in Chinese antivirus tools, and intercept network traffic. This latter capability allows Blackwood to effectively conceal its command-and-control infrastructure, which may have contributed to its long run without detection.

A Backdoor Hidden in Software Updates

Blackwood's greatest trick of all, though, also doubles as its greatest mystery.

To infect machines with NSPX30, it doesn't use any of the typical tricks: phishing, infected webpages, etc. Instead, when certain perfectly legitimate programs attempt to download updates from equally legitimate corporate servers via unencrypted HTTP, Blackwood somehow also injects its backdoor into the mix.

In other words, this isn't a SolarWinds-style supply chain breach of a vendor. Instead, ESET speculates that Blackwood may be using network implants. Such implants might be stored in vulnerable edge devices in targeted networks, as is common among other Chinese APTs.

The software products being used to spread NSPX30 include WPS Office (a popular free alternative to Microsoft and Google's suite of office software), the QQ instant messaging service (developed by multimedia giant Tencent), and the Sogou Pinyin input method editor (China's market-leading pinyin tool with hundreds of millions of users).

So how can organizations defend against this threat? Ensure that your endpoint protection tool blocks NSPX30, and pay attention to malware detections related to legitimate software systems, advises Mathieu Tartare, senior malware researcher at ESET. "Also, properly monitor and block AitM attacks such as ARP poisoning -- modern switches have features designed to mitigate such attack," he says.

Disabling IPv6 can help thwart an IPv6 SLAAC attack, he adds.

"A well-segmented network will help as well,s as the AitM will affect only the subnet where it is performed," Tartare says.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights