Nspx30

NSPX30 is a sophisticated multistage malware implant, developed by the China-Aligned APT Group Blackwood. Traced back to a small backdoor from 2005, dubbed Project Wood, NSPX30 evolved into a complex system including several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor. The design of the implant revolves around the attackers' capability to conduct packet interception, allowing operators to conceal their infrastructure. The delivery method of NSPX30 remains unclear; however, it has been found being deployed via the update mechanisms of legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin. In a recent attack discovered by ESET researchers, NSPX30 was deployed through adversary-in-the-middle (AitM) attacks, hijacking update requests from legitimate software. Unlike typical malware distribution methods such as phishing or infected webpages, this malware exploits unencrypted HTTP connections when legitimate programs attempt to download updates. It then injects its backdoor into the mix. The software products used to spread NSPX30 include popular platforms in China: WPS Office, the QQ instant messaging service, and the Sogou Pinyin input method editor. NSPX30 boasts various capabilities, including establishing a reverse shell, adding itself to allowlists in Chinese antivirus tools, and intercepting network traffic. This makes it a potent tool for cyber espionage. Senior malware researcher at ESET, Mathieu Tartare, advises users to ensure that their endpoint protection tool blocks NSPX30 and to pay attention to malware detections related to legitimate software systems. Despite its sophistication, NSPX30 represents the culmination of cyber espionage efforts dating back nearly two decades.