Blog

Blackwood APT uses AitM attacks that are set to target software updates. Is your organization prepared?

At the beginning of 2024, ESET researchers observed an attacker nicknamed Blackwood using an advanced multistage implant, dubbed NSPX30, to infect devices via adversary-in-the-middle (AitM) attacks, a broader and more sophisticated technique than traditional man-in-the-middle attacks (MITM). These attacks manipulated the update processes of legitimate software applications, including Tencent QQ, WPS Office, and Sogou Pinyin, and have since expanded to other commonly used software in China and Japan. The attacker, an APT group aligned with China that has been active since at least 2018, is attributed to conducting cyber espionage activities targeting individuals and companies in China, Japan and the United Kingdom.

Investigations revealed that NSPX30 evolved from a backdoor known as Project Wood, which was developed as far back as 2005. Project Wood's codebase served as the foundation for several other implants, including one known as DCM, which has been utilized by a number of cyber threat actors since 2008. ESET noted that variants of the Project Wood backdoor have been part of several malware analysis reports spanning multiple decades.

Let's review the technical breakdown of NSPX30 and cover the various positions that AitM attackers can take to compromise a victim's CIA (confidentiality, integrity, and availability).

NSPX30 Hijacks Updates For Initial Access

Project Wood, initially developed in 2005, consisted of two main components: a loader and a backdoor. The backdoor's primary capabilities include gathering system and network information, recording keystrokes, capturing screenshots, and exfiltrating this data to the attackers.

The modern variant of the Project Wood backdoor, NSPX30, targets systems attempting to download and install legitimate updates via HTTP protocol. Since HTTP (as opposed to TLS-encrypted HTTPS) does not provide encryption or authentication, any data transmitted over it is vulnerable to interception and manipulation.

According to ESET, NSPX30's delivery does not rely on DNS spoofing techniques to redirect update requests to the attacker's malicious domain. Instead, the Blackwood APT appears to deploy a network implant within routers or other network devices, which allows them to opportunistically replace legitimate updates with malicious data as the update enters the victim's network. Further analysis shows that the NSPX30 can allowlist itself within several Chinese anti-malware solutions and uses a DLL loader to maintain persistent access to the victim's machine.

Understanding Adversary In The Middle (AitM) Positions

Adversary in the Middle (AitM) attacks involve several positions where attackers can intercept and manipulate data between client devices and servers, enabling them to either steal sensitive data or compromise the integrity of the connection by modifying data in transit. Each AitM position offers unique opportunities for exploitation and presents challenges for defenders. Defending against the wide range of AitM attack vectors requires layered security approaches, including encryption protocols, network segmentation, and continuous monitoring.

Penetration testing is a critical security practice that helps organizations assess their vulnerability by simulating real-world attack scenarios and provides valuable insights into potential weaknesses, enabling organizations to enhance their defenses and ensure robust protection against such threats.

Here are some of the most common AitM attack positions for defenders to consider:

AitM From Within a Device

Attackers can intercept and manipulate data by installing malware or exploiting other vulnerabilities on a victim's device.

This can happen at the network interface level, where data is captured as it travels to or from the device, or at the application level, where attackers manipulate data directly within the software running on the device.

AitM From an Internal Network Position:

• Corporate Network Devices: Infiltrating corporate network devices such as wired or wireless routers, switches, firewalls, VPN servers, DNS servers, or proxy servers can allow attackers to access and modify traffic passing through these devices.

• Tapping Physical Cables: Attackers can physically tap into communication wires such as ethernet or fiber optic cables to access transmitted data. Encrypting all communication in transit with robust encryption algorithms is essential to mitigating this risk, as it ensures that intercepted data remains secure and unreadable.

• Wireless Sniffing: When connected to the same wireless network, attackers can capture and analyze data transmitted over the wireless networks. To prevent unauthorized access, it is essential to segment guest networks from private ones and ensure that private wireless networks use strong passwords and enterprise-grade authentication methods, such as WPA3, to secure wireless communications.

AitM Via Cloud Infrastructure:

• On Legitimate Website’s Infrastructure: By compromising a legitimate website, attackers can manipulate the site to intercept user data. This allows attackers to steal sensitive information, such as credit card details or other personal data submitted to the website.

• Cloud Services Providers: Compromising cloud infrastructure can grant attackers access to the data of multiple tenants. One significant risk is "VM escape," where an attacker breaks out of one virtual machine to access others. There is an increased risk associated with using public cloud infrastructure. It is crucial to implement the best security practices and regular monitoring to mitigate these risks.

Internet Service Provider (ISP) Infrastructure:

• Rogue ISPs: Since individuals and businesses rely on ISPs to access the global internet, ISP infrastructure represents a powerful AiTM position. ISPs can monitor and modify all unencrypted data as it passes through their networks. The legal regulations governing ISPs vary by each nation-state. Therefore, it is essential to understand the national laws, regulations, and security policies applicable to your operational location.

• Internet Backbone: Critical Internet infrastructure, such as telephone, coaxial, or fiber-optic cables, often exists in physically accessible locations. Attackers with physical access to the infrastructure can intercept and potentially modify vast amounts of data.

• Cellular Networks: By exploiting vulnerabilities in cellular networks, attackers can intercept calls, messages, and data traffic. Attackers can also

  deploy devices that mimic legitimate cellular towers, tricking user devices into connecting and capturing data transmitted through them.

• Public Wi-Fi Networks: Attackers can set up rogue access points in public places or compromise existing ones to intercept data from connected devices. Using a VPN can reduce the risks associated with using public Wi-Fi. It is important to use a full-tunnel VPN with strong encryption to effectively mitigate the risks.

Conclusion

ESET's research has uncovered a sophisticated attack by the Blackwood APT group that deploys a new variant - NSPX30 - of an older backdoor with origins dating back to 2005. NSPX30 is deployed via Adversary-in-the-Middle (AitM) attacks that replace the unencrypted legitimate software updates of applications like Tencent QQ, WPS Office, and Sogou Pinyin with malicious versions. The threat actor, Blackwood APT group, has targeted individuals and companies in China, Japan, and the UK.

This investigation highlights the importance of using HTTPS to encrypt and authenticate all connections, ensuring that data in transit is secure from interception and manipulation. It also underscores the necessity of assessing your organization's resilience against sophisticated AitM attacks.

Looking for more industry trends and news? Here at Packetlabs, our PTaaS services are 95% manual: this is a testament to our commitment to both quality and security. We strive to ensure that the best test results are delivered to our clients. Our in-depth testing ensures that no stone is left unturned, and even the most minute of weaknesses can be found and eliminated.

Contact us today or join our newsletter for cybersecurity education and implementation that goes beyond the checkbox.