Chinese Threat Actor Linked to NSPX30 Spyware

A previously unknown threat actor with ties to China has been identified in a series of adversary-in-the-middle (AitM) attacks, where legitimate software update requests are exploited to deliver an advanced implant named NSPX30. Cybersecurity experts are monitoring this advanced persistent threat (APT) group, referred to as Blackwood, which has reportedly been operational since at least 2018.

The NSPX30 implant is observed being distributed through the update mechanisms of well-known software such as Tencent QQ, WPS Office, and Sogou Pinyin. The targets of these attacks include Chinese and Japanese manufacturing, trading, and engineering companies, as well as individuals in China, Japan, and the U.K.

Described as a multistage implant, NSPX30 comprises various components, including a dropper, installer, loaders, orchestrator, and backdoor, with the latter two having their own sets of plugins. The implant's design is centered around the attackers' ability to conduct packet interception, allowing NSPX30 operators to conceal their infrastructure.

Origins of the Malware

The backdoor's origins can be traced back to a malware named Project Wood from January 2005, which was created to gather system and network information, record keystrokes, and capture screenshots from victim systems. Project Wood's codebase served as the foundation for multiple implants, giving rise to variants like DCM (aka Dark Specter) in 2008. This malware was subsequently employed in attacks targeting individuals of interest in Hong Kong and the Greater China area in 2012 and 2014.

The latest iteration, NSPX30, is delivered through attempts to download software updates via the (unencrypted) HTTP protocol, resulting in a compromised system. A malicious dropper, part of the compromised update process, creates files on disk and executes "RsStub.exe," a binary associated with Rising Antivirus software. This is done to launch "comx3.dll" by exploiting the susceptibility of the former to DLL side-loading.

"comx3.dll" serves as a loader for executing a file named "comx3.dll.txt," which functions as an installer library activating the next stage of the attack chain. This chain culminates in the execution of the orchestrator component ("WIN.cfg"). The method of delivering the dropper in the form of malicious updates is currently unknown, although past instances involving Chinese threat actors, such as BlackTech, Evasive Panda, Judgement Panda, and Mustang Panda, have utilized compromised routers as a means to distribute malware.

January 26, 2024

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.