7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 Medium
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
A previously undocumented China-aligned threat actor has been linked to a set of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant named NSPX30.
Slovak cybersecurity firm ESET is tracking the advanced persistent threat (APT) group under the name Blackwood. Itโs said to be active since at least 2018.
The NSPX30 implant has been observed deployed via the update mechanisms of known software such as Tencent QQ, WPS Office, and Sogou Pinyin, with the attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies as well as individuals located in China, Japan, and the U.K.
โNSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor,โ security researcher Facundo Muรฑoz said. โBoth of the latter two have their own sets of plugins.โ
โThe implant was designed around the attackersโ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.โ
The origins of the backdoor, which is also capable of bypassing several Chinese anti-malware solutions by allowlisting itself, can be traced to another malware from January 2005 codenamed Project Wood, which is designed to harvest system and network information, record keystrokes, and take screenshots from victim systems.
Project Woodโs codebase has acted as the foundation for several implants, including spawning variants like DCM (aka Dark Specter) in 2008, with the malware subsequently used in attacks targeting individuals of interest in Hong Kong and the Greater China area in 2012 and 2014.
NSPX30, the latest iteration of the implant, is delivered when attempts to download software updates from legitimate servers using the (unencrypted) HTTP protocol results in a system compromise, paving the way for the deployment of a dropper DLL file.
The malicious dropper deployed as part of the compromised update process creates several files on disk and executes โRsStub.exe,โ a binary associated with the Rising Antivirus software so as to launch โcomx3.dllโ by taking advantage of the fact the former is susceptible to DLL side-loading.
โcomx3.dllโ functions as a loader to execute a third file named โcomx3.dll.txt,โ which is an installer library responsible for activating the next-stage attack chain that culminates in the execution of the orchestrator component (โWIN.cfgโ).
Itโs currently not known how the threat actors deliver the dropper in the form of malicious updates, but Chinese threat actors like BlackTech, Evasive Panda, Judgement Panda, and Mustang Panda have taken advantage of compromised routers as a channel to distribute malware in the past.
ESET speculates that the attackers โare deploying a network implant in the networks of the victims, possibly on vulnerable network appliances such as routers or gateways.โ
โThe fact that we found no indications of traffic redirection via DNS might indicate that when the hypothesized network implant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implantโs dropper in the form of a DLL, an executable file, or a ZIP archive containing the DLL.โ
The orchestrator then proceeds to create two threads, one to obtain the backdoor (โmsfmtkl.datโ) and another to load its plugins and add exclusions to allowlist the loader DLLs to bypass Chinese anti-malware solutions.
The backdoor is downloaded via an HTTP request to Baiduโs website www.baidu[.]com, a legitimate Chinese search engine, with an unusual User-Agent string that masquerades the request as originating from the Internet Explorer browser on Windows 98.
The response from the server is then saved to a file from which the backdoor component is extracted and loaded into memory.
NSPX30, as part of its initialization phase, also creates a passive UDP listening socket for receiving commands from the controller and exfiltrating data by likely intercepting DNS query packets in order to anonymize its command-and-control (C2) infrastructure.
The instructions allow the backdoor to create a reverse shell, collect file information, terminate specific processes, capture screenshots, log keystrokes, and even uninstall itself from the infected machine.
The disclosure comes weeks after SecurityScorecard revealed new infrastructure connected to another Beijing-nexus cyber espionage group known as Volt Typhoon (aka Bronze Silhouette) that leverages a botnet created by exploiting known security flaws in end-of-life Cisco RV320/325 routers (CVE-2019-1652 and CVE-2019-1653) operating across Europe, North America, and Asia Pacific.
โApproximately 30% of them (325 of 1,116 devices) communicated with two IP addresses previously named as proxy routers used for command-and-control (C2) communications, 174.138.56[.]21 and 159.203.113[.]25, in a thirty-day period,โ the company said.
โVolt Typhoon may aim to use these compromised devices to transfer stolen data or connect to target organizationsโ networks.โ
Found this article interesting? Follow us on Twitter ๏ and LinkedIn to read more exclusive content we post.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 Medium
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%