Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared?

Recently, ESET researchers observed an attacker nicknamed Blackwood using an advanced multistage implant, dubbed NSPX30 to infect devices via adversary-in-the-middle (AitM) attacks (also referred to as Man In the Middle Attacks). These attacks manipulated update processes of legitimate software applications including Tencent QQ, WPS Office, and Sogou Pinyin. The attacker, an APT group aligned with China has been active since at least 2018, is attributed with conducting cyberespionage activities targeting individuals and companies in China and Japan and the United Kingdom.

Investigations revealed that NSPX30 evolved from a minor backdoor developed as far back as 2005 and known as Project Wood. The Project Wood code has been the foundation for various implants, including one known as DCM, that has been used by a number of cyber threat actors since 2008. ESET notes that variants of the Project Wood backdoor have been part of several malware analysis reports spanning multiple decades.

Let's review the technical breakdown of NSPX30 and cover the various positions that AitM attackers can take to compromise the CIA (confidentiality, integrity, and availability) of a victim. 

NSPX30 Hijacks Updates For Initial Access

Project Wood, initially developed in 2005, consisted of a loader and a backdoor. The backdoor component's primary capabilities include collecting system and network information, as well as recording and exfiltrating keystrokes and screenshots. 

The modern variant of the Project Wood backdoor, SCPX30, compromises systems when they attempt to download and install legitimate updates via HTTP protocol. Since HTTP (as opposed to TLS encrypted HTTPS) does not authenticate the source of connections, any data passed over HTTP should be considered inherently untrustworthy.

According to ESET, delivering NSPX30 malware does not rely on DNS spoofing to redirect update requests to the attacker's malicious domain. Instead the Blackwood APT appears to use a network implant within routers or other network devices to opportunistically replace downloaded updates with malicious data as the update enters the victim's network. Further analysis of the final NSPX30 backdoor malware reveals that it is capable of allowlisting itself in several Chinese anti-malware solutions and uses a DLL loader for persistent access to the victim's machine.

Understanding Adversary In The Middle (AitM) Positions

There are many Adversary in the Middle (AitM) positions that allow an attacker to either steal data or impact connection integrity by modifying data in transit. Each AitM position between the client devices and server offers unique opportunities for attackers and challenges for defenders, and defending against such a wide range of potential attack vectors requires comprehensive security measures. Penetration testing is considered an essential security activity for gaining strong assurances an organization is well protected against AiTM attacks.

Here are the most common AitM attack positions that defenders need to consider:

AitM From Within A Device

By installing malware or exploiting other vulnerabilities on a victim's device, attackers can intercept and manipulate ingoing or outgoing data. This can happen at the network interface level or at the application level.

AitM From An Internal Network Position

• Corporate Network Devices: Infiltrating devices such as wired or wireless routers, switches, firewalls, VPN servers, DNS servers, or proxy servers within a corporate network can provide access to traffic passing through them and the opportunity to modify data.

• Tapping Physical Cables: Physically tapping into communication wires such as ethernet or fiber optic cables also gives an attacker access to any data passing through them. Ensuring that all communication is encrypted in transit can mitigate the risk of this simple attack vector.

• Wireless Sniffing: When connected to the same wireless environment, attackers can capture and analyze data transmitted over Wi-Fi networks. It's important to segment guests on wireless networks and ensure that private wireless networks use strong passwords or Enterprise grade authentication to ensure attackers cannot easily connect to them.

AitM Via Cloud Infrastructure

• On Legitimate Website’s Infrastructure: By compromising a legitimate website, attackers can manipulate the site to intercept data from its users.  This can allow the attacker to steal credit card or other personal information submitted to the legitimate website.

• Cloud Services Providers: Compromising cloud infrastructure could give attackers access to the data of multiple tenants. Known as VM escape, this increases the risk of using public cloud infrastructure. 

Internet Service Provider (ISP) Infrastructure

• Rogue ISPs: Individuals and businesses cannot gain access to the global Internet without going through an ISP making ISP infrastructure a powerful AitM position. ISPs have direct access to monitor and modify all unencrypted data as it travels through their networks. Each nation state regulates what ISPs can and cannot do legally, making it critical to assess the national laws, regulations, and national security policies that apply to the location you are operating from. 

• Internet Backbone: It is also possible for almost anyone to access critical Internet infrastructure since it generally exists in locations that are physically accessible by anyone. Physical access to telephone, coaxial, or fiber-optic cables can give attackers the ability to intercept and potentially modify massive amounts of data.

• Cellular Networks: By exploiting vulnerabilities in cellular networks, attackers can intercept calls, messages, and data traffic. Attackers can also deploy devices that mimic legitimate cellular network towers, tricking user devices into connecting to them. 

• Public Wi-Fi Networks: Attackers can set up rogue Wi-Fi access points in public places or compromise existing ones to intercept data from connected devices. Using a VPN can reduce the risks associated with using public WiFi, it's important to use a full-tunnel VPN with strong encryption to effectively mitigate the risks. 

Conclusion

ESET's research has uncovered a sophisticated attack by the Blackwood APT group that deploys a new variant - NSPX30 - of an older backdoor with origins going back to 2005. NSPX30 is deployed via AitM attacks that replace the unencrypted legitimate software updates of applications like Tencent QQ, WPS Office, and Sogou Pinyin through. The threat actor, Blackwood, has targeted individuals and companies in China, Japan, and the UK.

This investigation highlights the importance of using HTTPS to encrypt and authenticate all connections and also underscores the importance of assessing your organization's resilience against AitM attacks of all kinds.

Looking for more industry trends and news? Here at Packetlabs, our PTaaS services are 95% manual: this is a testament to our commitment to both quality and security. We strive to ensure that the best test results are delivered to our clients. Our in-depth testing ensures that no stone is left unturned, and even the most minute of weaknesses can be found and eliminated.

Contact us today or join our newsletter for cybersecurity education and implementation that goes beyond the checkbox.