China-backed Hackers Hijack Software Updates to Implant “NSPX30” Spyware

A previously undocumented China-aligned threat actor has been linked to a set of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant named NSPX30.

Slovak cybersecurity firm ESET is tracking the advanced persistent threat (APT) group under the name Blackwood. It’s said to be active since at least 2018.

The NSPX30 implant has been observed deployed via the update mechanisms of known software such as Tencent QQ, WPS Office, and Sogou Pinyin, with the attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies as well as individuals located in China, Japan, and the U.K.

“NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor,” security researcher Facundo Muñoz said. “Both of the latter two have their own sets of plugins.”

“The implant was designed around the attackers’ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.”

The origins of the backdoor, which is also capable of bypassing several Chinese anti-malware solutions by allowlisting itself, can be traced to another malware from January 2005 codenamed Project Wood, which is designed to harvest system and network information, record keystrokes, and take screenshots from victim systems.

Project Wood’s codebase has acted as the foundation for several implants, including spawning variants like DCM (aka Dark Specter) in 2008, with the malware subsequently used in attacks targeting individuals of interest in Hong Kong and the Greater China area in 2012 and 2014.

NSPX30, the latest iteration of the implant, is delivered when attempts to download software updates from legitimate servers using the (unencrypted) HTTP protocol results in a system compromise, paving the way for the deployment of a dropper DLL file.

The malicious dropper deployed as part of the compromised update process creates several files on disk and executes “RsStub.exe,” a binary associated with the Rising Antivirus software so as to launch “comx3.dll” by taking advantage of the fact the former is susceptible to DLL side-loading.

“comx3.dll” functions as a loader to execute a third file named “comx3.dll.txt,” which is an installer library responsible for activating the next-stage attack chain that culminates in the execution of the orchestrator component (“WIN.cfg”).

It’s currently not known how the threat actors deliver the dropper in the form of malicious updates, but Chinese threat actors like BlackTech, Evasive Panda, Judgement Panda, and Mustang Panda have taken advantage of compromised routers as a channel to distribute malware in the past.

ESET speculates that the attackers “are deploying a network implant in the networks of the victims, possibly on vulnerable network appliances such as routers or gateways.”

“The fact that we found no indications of traffic redirection via DNS might indicate that when the hypothesized network implant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implant’s dropper in the form of a DLL, an executable file, or a ZIP archive containing the DLL.”

The orchestrator then proceeds to create two threads, one to obtain the backdoor (“msfmtkl.dat”) and another to load its plugins and add exclusions to allowlist the loader DLLs to bypass Chinese anti-malware solutions.

The backdoor is downloaded via an HTTP request to Baidu’s website www.baidu[.]com, a legitimate Chinese search engine, with an unusual User-Agent string that masquerades the request as originating from the Internet Explorer browser on Windows 98.

The response from the server is then saved to a file from which the backdoor component is extracted and loaded into memory.

NSPX30, as part of its initialization phase, also creates a passive UDP listening socket for receiving commands from the controller and exfiltrating data by likely intercepting DNS query packets in order to anonymize its command-and-control (C2) infrastructure.

The instructions allow the backdoor to create a reverse shell, collect file information, terminate specific processes, capture screenshots, log keystrokes, and even uninstall itself from the infected machine.

The disclosure comes weeks after SecurityScorecard revealed new infrastructure connected to another Beijing-nexus cyber espionage group known as Volt Typhoon (aka Bronze Silhouette) that leverages a botnet created by exploiting known security flaws in end-of-life Cisco RV320/325 routers (CVE-2019-1652 and CVE-2019-1653) operating across Europe, North America, and Asia Pacific.

“Approximately 30% of them (325 of 1,116 devices) communicated with two IP addresses previously named as proxy routers used for command-and-control (C2) communications, 174.138.56[.]21 and 159.203.113[.]25, in a thirty-day period,” the company said.

“Volt Typhoon may aim to use these compromised devices to transfer stolen data or connect to target organizations’ networks.”