NSPX30 Spyware

An unidentified threat actor associated with China has emerged, engaging in several Adversary-in-the-Middle (AitM) attacks. These attacks involve hijacking update requests from legitimate software with the intention of delivering a sophisticated implant known as NSPX30. Researchers are monitoring this advanced persistent threat (APT) group, identifying it as 'Blackwood.' The findings suggest that this cybercrime group has been operational since at least 2018.

The NSPX30 implant has been detected in instances where it was deployed through the update mechanisms of well-known software, including Tencent QQ, WPS Office, and Sogou Pinyin. The targets of these attacks are companies involved in manufacturing, trading, and engineering in China and Japan. Additionally, individuals in China, Japan, and the U.K. have also been affected by these AitM attacks.

The NSPX30 Spyware is a Multi-Component Threat

NSPX30 represents a sophisticated multistage implant comprising various components, including a dropper, installer, loaders, orchestrator, and a backdoor. The backdoor and orchestrator each possess distinct sets of plugins. The implant's architecture was strategically designed to leverage packet interception capabilities, allowing NSPX30 operators to conceal their infrastructure effectively.

The origins of the backdoor, which has the additional capability of circumventing several Chinese anti-malware solutions through self-allow listing, can be traced back to an earlier malware known as Project Wood, introduced in January 2005. Project Wood was crafted to gather system and network information, capture keystrokes, and take screenshots of victim systems.

The codebase of Project Wood has served as the groundwork for various implants, giving rise to derivatives such as DCM (also known as Dark Specter) in 2008. Subsequently, this malware was employed in targeted attacks against individuals of interest in Hong Kong and the Greater China area in both 2012 and 2014.

Attack Chain for the Deployment of the NSPX30 Spyware

NSPX30 is introduced through the compromise of systems attempting to download software updates via the (unencrypted) HTTP protocol from legitimate servers. This compromise facilitates the deployment of a dropper DLL file.

The hurtful dropper, initiated during the compromised update process, generates multiple files on the disk and initiates the execution of 'RsStub.exe,' a binary associated with antivirus software. This step exploits the vulnerability of the former to DLL side-loading, enabling the launch of 'comx3.dll.'

Subsequently, 'comx3.dll' serves as a loader, executing a third file named 'comx3.dll.txt.' This file functions as an installer library, triggering the next stage of the attack chain, ultimately leading to the execution of the orchestrator component ('WIN.cfg').

The specific method by which threat actors deliver the dropper in the form of bogus updates remains unknown. However, historical patterns indicate that Chinese threat actors, such as BlackTech, Evasive Panda, Judgement Panda, and Mustang Panda, have utilized compromised routers as a distribution channel for malware. Researchers suggest the possibility that the attackers are deploying a network implant within the victims' networks, potentially targeting vulnerable network appliances like routers or gateways.

The NSPX30 Spyware can Perform Specific Actions Based on C2 Commands

The orchestrator initiates the creation of two threads: one dedicated to acquiring the backdoor ('msfmtkl.dat') and the other focused on loading its plugins and incorporating exclusions to enable the bypassing of Chinese anti-malware solutions by the loader DLLs.

To download the backdoor, an HTTP request is made to www.baidu[.]com, the legitimate Chinese search engine owned by Baidu. The request employs an unconventional User-Agent string, mimicking Internet Explorer on Windows 98 to disguise its origin. The server's response is saved to a file, and the backdoor component is then extracted and loaded into the system's memory.

As part of its initialization process, NSPX30 establishes a passive UDP listening socket designed to receive commands from the controller and facilitate data exfiltration. This involves likely intercepting DNS query packets to anonymize its Command-and-Control (C2) infrastructure.

The instructions provided to the backdoor enable various functionalities, including the creation of a reverse shell, gathering file information, terminating specific processes, capturing screenshots, logging keystrokes, and even uninstalling itself from the infected machine.