January 25, 2024 at 05:22AM
A new China-aligned threat actor, tracked by ESET under the name Blackwood, has been linked to AitM attacks deploying the sophisticated NSPX30 implant via software update mechanisms. This multistage implant allows for packet interception, network information harvesting, and bypassing of anti-malware solutions. Information suggests a network implant is being deployed in victims’ networks.
Key takeaways from the meeting notes:
– A new China-aligned threat actor, named Blackwood, has been identified by the Slovak cybersecurity firm ESET. They are responsible for deploying the NSPX30 implant via the update mechanisms of well-known software to target Chinese and Japanese manufacturing, trading, and engineering companies, as well as individuals in China, Japan, and the U.K.
– NSPX30 is a sophisticated multistage implant designed to intercept unencrypted HTTP traffic related to software updates, resulting in a system compromise. It includes components such as a dropper, installer, loaders, an orchestrator, and a backdoor, with their own sets of plugins. The implant was designed to enable attackers to conduct packet interception and hide their infrastructure.
– It has been discovered that the backdoor can bypass Chinese anti-malware solutions and its origins can be traced back to a malware codenamed Project Wood from January 2005.
– ESET speculates that the attackers deploy a network implant, possibly on vulnerable network appliances such as routers or gateways, to intercept unencrypted HTTP traffic related to updates and reply with the NSPX30 implant’s dropper in the form of a DLL, an executable file, or a ZIP archive containing the DLL.
– NSPX30 includes an orchestrator that creates two threads to obtain the backdoor and load its plugins, as well as create a reverse shell, collect file information, terminate specific processes, capture screenshots, log keystrokes, and uninstall itself from the infected machine.
– Furthermore, SecurityScorecard revealed new infrastructure connected to another cyber espionage group known as Volt Typhoon, which leverages a botnet created through security flaws in end-of-life Cisco RV320/325 routers. Approximately 30% of the compromised devices communicated with two IP addresses used for command-and-control (C2) communications.
– Overall, the meeting notes provide insightful details on the activities and techniques of these threat actors, highlighting the need for enhanced cybersecurity measures to mitigate their impact.