Nspx30

NSPX30 is a sophisticated multistage malware implant that was recently discovered by ESET researchers. Tracing its evolution back to a small backdoor from 2005, named Project Wood, NSPX30 has been linked to the China-aligned APT group Blackwood. The malware uses a unique delivery method, deploying itself through adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software programs such as Tencent QQ, WPS Office, and Sogou Pinyin. This approach allows the attackers to inject their backdoor into these systems without using common infection methods like phishing or infected webpages. However, the exact tool enabling the initial compromise of targets remains unknown. The malware consists of several components including a dropper, an installer, loaders, an orchestrator, and a backdoor. Its design revolves around the attackers' ability to conduct packet interception, which helps them hide their infrastructure. Once installed, NSPX30 can perform various malicious activities, such as establishing a reverse shell, adding itself to allowlists in Chinese antivirus tools, and intercepting network traffic. Despite these capabilities, the full extent of what this multistage implant is made up of remains unclear. Given the threat posed by NSPX30, it's critical for organizations to ensure their endpoint protection tools are capable of blocking this malware. Senior malware researcher at ESET, Mathieu Tartare, advises vigilance towards malware detections related to legitimate software systems. As NSPX30 exploits unencrypted HTTP connections to inject its backdoor during software updates, it's also recommended that software providers switch to encrypted HTTPS connections to mitigate such threats.