Researchers from cybersecurity company ESET have uncovered cyber threat actor that they’ve named “Blackwood.”

Believed to be active since at least 2018, Blackwood has been observed conducting cyberespionage attacks. As an advanced persistent threat (APT) group, Blackwood was found to be employing the NSPX30 implant, an advanced form of malware that traces its origins to the basic backdoor known as Project Wood, which was first identified in 2005.

Blackwood uses adversary-in-the-middle attacks and software update exploitation to deploy the NSPX30. This multistage malware consists of a dropper and an installer that can bypass the User Account Control security feature in Windows. It also includes a loader, orchestrator, and a backdoor, with the latter two featuring their own sets of plugins.

Project-Wood-Timeline

The affected software includes the instant messaging sofware Tencent QQ, the productivity suite WPS Office, and the Chinese input method editor Sogou Pinyin. Upon successful deployment, the malware can perform extensive data theft. It’s capable of logging keystrokes, taking screenshots, reading chat logs, accessing files, and analyzing network data. It can also evade detection by adding itself to the allowlists of Chinese anti-malware tools. To cover its tracks, the backdoor component can even uninstall NSPX30 from an infected system.

ESET’s telemetry data indicates that the implant has been found in a number of systems, many of which are based in China. Among the affected are individuals in China and Japan, a Chinese-speaking individual at a UK university, a Chinese manufacturing and trading company, and a China branch of a Japanese corporation.

Source: ESET

Leave a comment

Your email address will not be published. Required fields are marked *