China hackers hijack updates to plant NSPX30 spyware


A newly discovered China-linked hacker group, dubbed Blackwood, has likely planted sophisticated spyware in legitimate software updates since 2018, ESET researchers believe.

Blackwood is suspected of hijacking legitimate software updates to implant spyware researchers named NSPX30. The malware has been deployed via mechanisms native to WPS Office, Sogou Pinyin, and Tencent QQ software and targets engineering and manufacturing businesses and individuals in the UK, Japan, and China.

“Blackwood is a China-aligned APT group active since at least 2018, engaging in cyberespionage operations against Chinese and Japanese individuals and companies,” researchers say.

ADVERTISEMENT

According to the report, machines are typically compromised when legitimate software attempts to download updates from legitimate servers. The implant was designed to intercept packets, enabling spyware operators to hide in their infrastructure.

However, it remains unknown how exactly attackers deliver malicious updates with the spyware included.

“NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor. Both of the latter two have their own sets of plugins,” reads ESET’s blog.

Researchers first noticed hints of then-unknown spyware after a surge of malicious activity, located in China. Suspicious unknown files were detected on a so-called “threat magnet” in 2020, prompting ESET to dub the spyware “NPSX30.”

Later inquiries revealed the spyware’s victims include unidentified individuals located in China and Japan, an unidentified Chinese-speaking individual connected to the network of a high-profile public research university in the UK, a large manufacturing and trading company in China, and the office of a Japanese corporation in China.

Interestingly, attackers often tried to reconnect to a system if they lost access, indicating targeted, goal-oriented campaigns.

ADVERTISEMENT