According to a recently published report by security firm ESET, a new sophisticated Advanced Persistent Threat (APT) group called Blackwood has emerged from the shadows.
Researchers discovered that the APT group was conducting cyberespionage campaigns against businesses and individuals. Based on what was found, the group has been active since 2018.
The campaign, discovered by ESET, is believed to have started in 2020 and aligns with Chinese geopolitical interests. Blackwood's targets were primarily based in China, Japan, and the United Kingdom.
ESET also believes that Blackwood possibly shares access with other Chinese APT groups, as it observed the system of one company being targeted by toolkits associated with multiple actors, e.g., Evasive Panda, LuoYu, and LittleBear.
The activities of Blackwood were discovered when ESET systems detected a surge in malicious activity targeting an organization in China, with the activity using malware toolkits already associated with the likes of Evasive Panda and LuoYu.
Researchers noted the following regarding the victims that support their attributing activity to a possible Chinese APT group:
- unidentified individuals located in China and Japan,
- an unidentified Chinese-speaking individual connected to the network of a high-profile public research university in the United Kingdom,
- a large manufacturing and trading company in China, and
- the office in China of a Japanese corporation in the engineering and manufacturing vertical.
Central to Blackwood's capabilities is its malware payload. The malware delivered is NSPX30, a malware codebase developed over the years from a backdoor discovered in 2005. NSPX30 has evolved constantly since then, and Blackwood has furthered the malware's capabilities.
During our research into the NSPX30 implant, we mapped its evolution back to an early ancestor – a simple backdoor we’ve named Project Wood. The oldest sample of Project Wood we could find was compiled in 2005, and it seems to have been used as the codebase to create several implants. One such implant, from which NSPX30 evolved, was named DCM by its authors in 2008.
The oldest sample of NSPX30 that we have found was compiled on June 6th, 2018. NSPX30 has a different component configuration than DCM because its operation has been divided into two stages, relying fully on the attacker’s AitM capability. DCM’s code was split into smaller components.
NSPX30, as used by Blackwood, has several interesting features. Firstly, it is a multistage implant with several components, such as a dropper, an installer, loaders, an orchestrator, and a backdoor. Both of the latter two have their own sets of plugins.
Secondly, the malware's implant module was designed around the attackers' capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.
Lastly, it can also allow listing itself in several Chinese anti-malware solutions. This means the malware will not be detected as a threat but as a trusted application.
The AitM capability mentioned above stands for adversary-in-the-middle and is the main way Blackwood was seen distributing NSPX30 in the campaign discovered by ESET researchers.
Adversary-in-the-Middle (AitM) attack is a variant of the well-known Man-in-the-Middle (MitM) attack, where malicious actors position themselves between communication channels to eavesdrop, intercept, or manipulate data traffic.
AitM attacks, however, go beyond mere interception, which is typical of MitM attacks, including malware delivery, as seen in this example, credential harvesting, spoofing, data harvesting, and credential harvesting.
Blackwood's use of AitM
Blackwood used AitM attack methodologies to hijack update requests from legitimate software packages. Software packages abused in this way by Blackwood include Tencent QQ, WPS Office, and Sogou Pinyin.
While researchers have a good idea on how the malware is delivered, they are not 100% sure as the tool used to carry out the initial compromise has yet to be discovered.
Researchers believe the attackers are deploying a network implant in the victims' networks, possibly on vulnerable network appliances such as routers or gateways.
As no indications of traffic redirection via DNS were found, this indicates that when the hypothesized network implant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implant's dropper. This can be a DLL, an executable file, or a ZIP archive containing the DLL.
In order to download the backdoor, researchers discovered that an HTTP request was sent to Baidu's website, a legitimate Chinese search engine and software provider. The request masquerades as Internet Explorer on Windows 98. The response from the server is saved to a file, from which the backdoor component is extracted and loaded into memory.
Upon initialization, the backdoor will attempt to create a listening socket and allow the operating system to determine the port. Firewalls could stop this, and the implant controller needs to know the compromised machine's IP address and port to contact the backdoor.
These potential problems are solved by using the same port on which the backdoor listens for commands also to exfiltrate the collected data so the network implant will know exactly where to forward the packets.
In conclusion, researchers noted,
Using the attackers’ AitM capability to intercept packets is a clever way to hide the location of their C&C infrastructure. We have observed victims located outside of China – that is, in Japan and the United Kingdom – against whom the orchestrator was able to deploy the backdoor. The attackers then sent commands to the backdoor to download plugins; for example, the victim from the UK received two plugins designed to collect information and chats from Tencent QQ. Therefore, we know that the AitM system was in place and working, and we must assume that the exfiltration mechanism was as well.