Security News > 2024 > January > Blackwood hackers hijack WPS Office update to install malware
A previously unknown advanced threat actor tracked as 'Blackwood' is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals.
Researchers at cybersecurity company ESET discovered Blackwood and the NSPX30 implant in a campaign in 2020 and believe that the group's activities align with Chinese state interests.
Blackwood's targets are in China, Japan, and the United Kingdom and delivered the malware through the update mechanisms of legitimate software like WPS Office, the Tencent QQ instant messaging platform, and the Sogou Pinyin document editor.
A notable aspect of Blackwood's activities is the ability to deliver NSPX30 by hijacking update requests made by legitimate software, including Tencent QQ, WPS Office, and Sogou Pinyin.
This is different from a supply-chain compromise because Blackwood intercepts unencrypted HTTP communication between the victim's system and the update server and intervenes to deliver the implant instead. The exact mechanism that enables Blackwood to intercept that traffic in the first place is unknown.
Based on their analysis, the researchers believe that the original backdoor at the root of the evolution of the NSPX30 custom implant seems to have been developed by skilled malware developers.
News URL
Related news
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- Unpatched Mazda Connect bugs let hackers install persistent malware (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn (source)