Security News > 2024 > January > Blackwood APT delivers malware by hijacking legitimate software update requests

ESET researchers have discovered NSPX30, a sophisticated implant used by a new China-aligned APT group, which they dubbed Blackwood.

It leverages adversary-in-the-middle techniques to hijack update requests from legitimate software to deliver the implant.

ESET Research named Blackwood and the backdoor Project Wood based on a recurring theme in a mutex name.

The machine had become what is commonly referred to as a "Threat magnet," as ESET Research detected attempts by attackers to use malware toolkits associated with multiple APT groups.

Using ESET telemetry, ESET Research determined that machines are compromised when legitimate software attempts to download updates from legitimate servers using the HTTP protocol.

"How exactly the attackers are able to deliver NSPX30 as malicious updates remains unknown to us, as we have yet to discover the tool that enables the attackers to compromise their targets initially," says ESET researcher Facundo Muñoz, who discovered NSPX30 and Blackwood.

News URL

https://www.helpnetsecurity.com/2024/01/25/blackwood-apt-nspx30/