Security News > 2024 > January > Blackwood hackers hijack WPS Office update to install malware

A previously unknown advanced threat actor tracked as 'Blackwood' is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals.

Researchers at cybersecurity company ESET discovered Blackwood and the NSPX30 implant in a campaign in 2020 and believe that the group's activities align with Chinese state interests.

Blackwood's targets are in China, Japan, and the United Kingdom and delivered the malware through the update mechanisms of legitimate software like WPS Office, the Tencent QQ instant messaging platform, and the Sogou Pinyin document editor.

A notable aspect of Blackwood's activities is the ability to deliver NSPX30 by hijacking update requests made by legitimate software, including Tencent QQ, WPS Office, and Sogou Pinyin.

This is different from a supply-chain compromise because Blackwood intercepts unencrypted HTTP communication between the victim's system and the update server and intervenes to deliver the implant instead. The exact mechanism that enables Blackwood to intercept that traffic in the first place is unknown.

Based on their analysis, the researchers believe that the original backdoor at the root of the evolution of the NSPX30 custom implant seems to have been developed by skilled malware developers.

News URL

https://www.bleepingcomputer.com/news/security/blackwood-hackers-hijack-wps-office-update-to-install-malware/