January 25, 2024 at 03:31PM
The advanced threat actor ‘Blackwood’ has been using the NSPX30 malware in cyberespionage attacks since at least 2018. Targeting China, Japan, and the UK, the adversary delivers the malware through legitimate software update mechanisms. NSPX30, an evolved implant with sophisticated capabilities, conceals its activities and intercepts data to evade detection. ESET’s report offers technical details and indicators of compromise for defense.
After reviewing the meeting notes, the key takeaways are as follows:
1. An advanced threat actor known as ‘Blackwood’ is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals.
2. The NSPX30 malware is being used in adversary-in-the-middle (AitM) attacks, with targets in China, Japan, and the United Kingdom. The malware is delivered through the update mechanisms of legitimate software like WPS Office, Tencent QQ, and Sogou Pinyin.
3. Blackwood has been active since at least 2018 and is believed to align with Chinese state interests, sharing access with other Chinese APT groups.
4. NSPX30 evolved from the ‘Project Wood’ backdoor in 2005 and demonstrates significant technical advancement, including multistage architecture, packet interception capabilities, and the ability to evade detection by Chinese anti-malware tools.
5. The primary function of NSPX30 is to collect information from breached systems, including files, screenshots, key presses, and credentials. It can also steal chat logs and contact lists from various messaging platforms.
Additionally, ESET’s report provides ample technical details about the malware and how it works, as well as a list of indicators of compromise that defenders can use to protect their environment.