ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software.
Key points in this blogpost:
We discovered the NSPX30 implant being deployed via the update mechanisms of legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin.
We have detected the implant in targeted attacks against Chinese and Japanese companies, as well as against individuals located in China, Japan, and the United Kingdom.
Our research traced the evolution of NSPX30 back to a small backdoor from 2005 that we have named Project Wood, designed to collect data from its victims.
NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor. Both of the latter two have their own sets of plugins.
The implant was designed around the attackers’ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.
NSPX30 is also capable of allowlisting itself in several Chinese antimalware solutions.
We attribute this activity to a new APT group that we have named Blackwood.
Blackwood Profile
Blackwood is a China-aligned APT group active since at least 2018, engaging in cyberespionage operations against Chinese and Japanese individuals and companies. Blackwood has capabilities to conduct adversary-in-the-middle attacks to deliver the implant we named NSPX30 through updates of legitimate software, and to hide the location of its command and control servers by intercepting traffic generated by the implant.
Campaign overview
In 2020, a surge of malicious activity was detected on a targeted system located in China. The machine had become what we commonly refer to as a “threat magnet”, as we detected attempts by attackers to use malware toolkits associated with different APT groups: Evasive Panda, LuoYu, and a third threat actor we track as LittleBear.
On that system we also detected suspicious files that did not belong to the toolkits of those three groups. This led us to start an investigation into an implant we named NSPX30; we were able to trace its evolution all the way back to 2005.
According to ESET telemetry, the implant was detected on a small number of systems. The victims include:
unidentified individuals located in China and Japan,
an unidentified Chinese-speaking individual connected to the network of a high-profile public research university in the United Kingdom,
a large manufacturing and trading company in China, and
the office in China of a Japanese corporation in the engineering and manufacturing vertical.
We have also observed that the attackers attempt to re-compromise systems if access is lost.
Figure 1 is a geographical distribution of Blackwood’s targets, according to ESET telemetry.
Figure 1. Geographical distribution of Blackwood victims
NSPX30 evolution
During our research into the NSPX30 implant, we mapped its evolution back to an early ancestor – a simple backdoor we’ve named Project Wood. The oldest sample of Project Wood we could find was compiled in 2005, and it seems to have been used as the codebase to create several implants. One such implant, from which NSPX30 evolved, was named DCM by its authors in 2008.
Figure 2 illustrates a timeline of these developments, based on our analysis of samples in our collection and ESET telemetry, as well as public documentation. However, the events and data documented here are still an incomplete picture of almost two decades of development and malicious activity by an unknown number of threat actors.
Figure 2. Timeline of major variants of Project Wood, DCM, and NSPX30
In the following sections we describe some of our findings regarding Project Wood, DCM, and NSPX30.
Project Wood
The starting point in the evolution of these implants is a small backdoor compiled on January 9th, 2005, according to the timestamps present in the PE header of its two components – the loader and the backdoor. The latter has capabilities to collect system and network information, as well as to record keystrokes and take screenshots.
We named the backdoor Project Wood, based on a recurring mutex name, as shown in Figure 3.
Figure 3. Project Wood code with a recurring theme in most samples
Compilation timestamps are unreliable indicators, as they can be tampered by attackers; therefore, in this specific case, we considered additional data points. First, the timestamps from the PE header of the loader and backdoor samples; see Table 1. There is only a difference of 17 seconds in the compilation time of both components.
Table 1. PE compilation timestamps in components from the 2005 sample
SHA-1
Filename
PE compilation timestamp
Description
9A1B575BCA0DC969B1344651F16514660D1B78A6
MainFuncOften.dll
2005-01-09 08:21:22
Project Wood backdoor.
The timestamp from the Export Table matches the PE compilation timestamp.
834EAB42383E171DD6A42F29A9BA1AD8A44731F0
N/A
2005-01-09 08:21:39
The Project Wood loader contains the backdoor embedded as a resource.
The second data point comes from the dropper sample that was compressed using UPX. This tool inserts its version (Figure 4) into the resulting compressed file – in this case, UPX version 1.24, which was released in 2003, prior to the compilation date of the sample.
Figure 4. UPX string with tool version in the dropper sample
The third data point is the valid metadata from the PE Rich Headers (Figure 5) which indicate that the sample was compiled using Visual Studio 6.0, released in 1998, prior to the sample’s compilation date.
Figure 5. PE Rich Headers from the dropper sample
We assess that it is unlikely that the timestamps, Rich Headers metadata, and UPX version were all manipulated by the attackers.
Public documentation
According to a technical paper published by the SANS Institute on September 2011, an unnamed and unattributed backdoor (Project Wood) was used to target a political figure from Hong Kong via spearphishing emails.
In October 2014, G DATA published a report of a campaign it named Operation TooHash, which has since been attributed to the Gelsemium APT group. The rootkit G DATA named DirectsX loads a variant of the Project Wood backdoor (see Figure 6) with some features seen in DCM and later in NSPX30, such as allowlisting itself in cybersecurity products (detailed later, in Table 4).
Figure 6. The recurring theme is present also in samples from Operation TooHash
DCM aka Dark Specter
The early Project Wood served as a codebase for several projects; one of them is an implant called DCM (see Figure 7) by its authors.
Figure 7. Code using a new mutex name in the DCM implant
The report from Tencent in 2016 describes a more developed DCM variant that relies on the AitM capabilities of the attackers to compromise its victims by delivering the DCM installer as a software update, and to exfiltrate data via DNS requests to legitimate servers. The last time that we observed DCM used in an attack was in 2018.
Public documentation
DCM was first documented by the Chinese company Jiangmin in 2012, although it was left unnamed at that point, and was later named Dark Specter by Tencent in 2016.
NSPX30
The oldest sample of NSPX30 that we have found was compiled on June 6th, 2018. NSPX30 has a different component configuration than DCM because its operation has been divided into two stages, relying fully on the attacker’s AitM capability. DCM’s code was split into smaller components.
We named the implant after PDB paths found in plugin samples:
Z:Workspacemm32NSPX30Pluginspluginb001.pdb
Z:WorkspaceCodeMMX30ProtrunkMMPluginshookdllReleasehookdll.pdb
We believe that NSP refers to its persistence technique: the persistent loader DLL, which on disk is named msnsp.dll, is internally named mynsp.dll (according to the Export Table data), probably because it is installed as a Winsock namespace provider (NSP).
Finally, to the best of our knowledge, NSPX30 has not been publicly documented prior to this publication.
Technical analysis
Using ESET telemetry, we determined that machines are compromised when legitimate software attempts to download updates from legitimate servers using the (unencrypted) HTTP protocol. Hijacked software updates include those for popular Chinese software such as Tencent QQ, Sogou Pinyin, and WPS Office.
An illustration of the chain of execution as seen in ESET telemetry is shown in Figure 8.
Figure 8. Illustration of the observed chain of execution
In Table 2, we provide an example of a URL and the IP address to which the domain was resolved on the user’s system at the time the download occurred.
Table 2. An observed URL, server IP address, and process name of a legitimate downloader component
URL
First seen
IP address
ASN
Downloader
http://dl_dir.qq[.]com/invc/qq/minibrowser.zip
2021‑10‑17
183.134.93[.]171
AS58461 (CHINANET)
Tencentdl.exe
According to ESET telemetry and passive DNS information, the IP addresses that observed on other cases, are associated with domains from legitimate software companies; we have registered up to millions of connections on some of them, and we have seen legitimate software components being downloaded from those IP addresses.
Network implant hypothesis
How exactly the attackers are able to deliver NSPX30 as malicious updates remains unknown to us, as we have yet to discover the tool that enables the attackers to compromise their targets initially.
Based on our own experience with China-aligned threat actors that exhibit these capabilities (Evasive Panda and TheWizards), as well as recent research on router implants attributed to BlackTech and Camaro Dragon (aka Mustang Panda), we speculate that the attackers are deploying a network implant in the networks of the victims, possibly on vulnerable network appliances such as routers or gateways.
The fact that we found no indications of traffic redirection via DNS might indicate that when the hypothesized network implant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implant’s dropper in the form of a DLL, an executable file, or a ZIP archive containing the DLL.
Previously, we mentioned that the NSPX30 implant uses the packet interception capability of the attackers in order to anonymize its C&C infrastructure. In the following subsections we will describe how they do this.
HTTP interception
To download the backdoor, the orchestrator performs an HTTP request (Figure 9) to the Baidu’s website – a legitimate Chinese search engine and software provider – with a peculiar User-Agent masquerading as Internet Explorer on Windows 98. The response from the server is saved to a file from which the backdoor component is extracted and loaded into memory.
Figure 9. HTTP request sent by the orchestrator
The Request-URI is custom and includes information from the orchestrator and the compromised system. In non-intercepted requests, issuing such a request to the legitimate server returns a 404 error code. A similar procedure is used by the backdoor to download plugins, using a slightly different Request-URI.
The network implant would simply need to look for HTTP GET requests to www.baidu.com with that particular old User-Agent and analyze the Request-URI to determine what payload must be sent.
UDP interception
During its initialization, the backdoor creates a passive UDP listening socket and lets the operating system assign the port. There can be complications for attackers using passive backdoors: for instance, if firewalls or routers using NAT prevent incoming communication from outside of the network. Additionally, the controller of the implant needs to know the exact IP address and port of the compromised machine to contact the backdoor.
We believe that the attackers solved the latter problem by using the same port on which the backdoor listens for commands to also exfiltrate the collected data, so the network implant will know exactly where to forward the packets. The data exfiltration procedure, by default, begins after the socket has been created, and it consists of DNS queries for the microsoft.com domain; the collected data is appended to the DNS packet. Figure 10 shows a capture of the first DNS query sent by the backdoor.
Figure 10. DNS query sent by the backdoor; collected information is appended in plaintext
The first DNS query is sent to 180.76.76[.]11:53 (a server that, at the time of writing, does not expose any DNS service) and for each of the following queries, the destination IP address is changed to the succeeding address, as shown in Figure 11.
Figure 11. DNS messages sent by the backdoor; notice that the IP address increases by one with each request
The 180.76.76.0/24 network is owned by Baidu, and interestingly, some of the servers at these IP addresses do expose DNS services, such as 180.76.76.76, which is Baidu’s public DNS service.
We believe that when the DNS query packets are intercepted, the network implant forwards them to the attackers’ server. The implant can easily filter the packets by combining several values to create a fingerprint, for instance:
destination IP address
UDP port (we observed 53, 4499, and 8000),
transaction ID of the DNS query matching 0xFEAD,
domain name, and,
DNS query with extraneous data appended.
Final thoughts
Using the attackers’ AitM capability to intercept packets is a clever way to hide the location of their C&C infrastructure. We have observed victims located outside of China – that is, in Japan and the United Kingdom – against whom the orchestrator was able to deploy the backdoor. The attackers then sent commands to the backdoor to download plugins; for example, the victim from the UK received two plugins designed to collect information and chats from Tencent QQ. Therefore, we know that the AitM system was in place and working, and we must assume that the exfiltration mechanism was as well.
Some of the servers – for instance, in the 180.76.76.0/24 network – seem to be anycasted, meaning that there might be multiple servers geolocated around the world to reply to (legitimate) incoming requests. This suggests network interception is likely performed closer to the targets rather than closer to Baidu’s network. Interception from a Chinese ISP is also unlikely because Baidu has part of its network infrastructure outside of China, so victims outside China may not go through any Chinese ISPs to reach Baidu services.
NSPX30
In the following sections we will describe the major stages of execution of the malware.
Stage 1
Figure 12 illustrates the execution chain when the legitimate component loads a malicious dropper DLL that creates several files on disk.
Figure 12. Execution chain initiated by the dropper DLL
The dropper executes RsStub.exe, a legitimate software component of the Chinese antimalware product Rising Antivirus, which is abused to side-load the malicious comx3.dll.
Figure 13 illustrates the major steps taken during the execution of this component.
Figure 13. Loading chain initiated when RsStub.exe loads the malicious comx3.dll
When RsStub.exe calls ExitProcess, the loader function from the shellcode is executed instead of the legitimate API function code.
The loader decrypts the installer DLL from the file comx3.dll.txt; the shellcode then loads the installer DLL in memory and calls its entry point.
Installer DLL
The installer uses UAC bypass techniques taken from open-source implementations to create a new elevated process. Which one it uses depends on several conditions, as seen in Table 3.
Table 3. Main condition and respective sub-conditions that must be met in order to apply a UAC bypass technique
Main condition
Sub-conditions
UAC bypass technique
Process named rstray.exe exists
– OS version is Windows 2000/XP/Vista
Execution via AppKey18ShellExecute
– OS version is Windows 10
– Process named avp.exe exists
– OS version is Windows 10
– Process named avp.exe does not exist
– OS version is Windows 7/8/8.1/10 or Windows Server 2008 R1/2012 R2
IARPUninstallStringLauncher UAC bypass
Current process is not a member of the administrator group
– OS version is Windows 10
– Process named avp.exe exists
– OS version is Windows 10
– Process named avp.exe does not exist
– OS version is Windows 7/8/8.1/10 or Windows Server 2008 R1/2012 R2
IARPUninstallStringLauncher UAC bypass
The conditions verify the presence of two processes: we believe that avp.exe is a component of Kaspersky’s antimalware software, and rstray.exe a component of Rising Antivirus.
The installer attempts to disable the submission of samples by Windows Defender, and adds an exclusion rule for the loader DLL msnsp.dll. It does this by executing two PowerShell commands through cmd.exe:
cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -SubmitSamplesConsent 0
cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath “C:Program Files (x86)Common Filesmicrosoft sharedTextConvmsnsp.dll”
The installer then drops the persistent loader DLL to C:Program Files (x86)Common Filesmicrosoft sharedTextConvmsnsp.dll and establishes persistence for it using the API WSCInstallNameSpace to install the DLL as a Winsock namespace provider named msnsp, as shown in Figure 14.
Figure 14. Code that installs a malicious Winsock namespace provider
As a result, the DLL will be loaded automatically whenever a process uses Winsock.
Finally, the installer drops the loader DLL mshlp.dll and the encrypted orchestrator DLL WIN.cfg to C:ProgramDataWindows.
Stage 2
This stage begins with the execution of msnsp.dll. Figure 15 illustrates the loading chain in Stage 2.
Figure 15. Loading chain initiated when the system loads the malicious Winsock namespace provider
Orchestrator
Figure 16 illustrates the major tasks carried out by the orchestrator, which includes obtaining the backdoor and loading plugins.
Figure 16. Execution chain of the Orchestrator components and its main tasks
When loaded, the orchestrator creates two threads to perform its tasks.
Orchestrator thread 1
The orchestrator deletes the original dropper file from disk, and tries to load the backdoor from msfmtkl.dat. If the file does not exist or fails to open, the orchestrator uses Windows Internet APIs to open a connection to the legitimate website of the Chinese company Baidu as explained previously.
The response from the server is saved to a temporary file subject to a validation procedure; if all conditions are met, the encrypted payload that is inside the file is written to a new file and renamed as msfmtkl.dat.
After the new file is created with the encrypted payload, the orchestrator reads its contents and decrypts the payload using RC4. The resulting PE is loaded into memory and its entry point is executed.
Orchestrator thread 2
Depending on the name of the current process, the orchestrator performs several actions, including the loading of plugins, and addition of exclusions to allowlist the loader DLLs in the local databases of three antimalware software products of Chinese origin.
Table 4 describes the actions taken when the process name matches that of a security software suite in which the orchestrator can allowlist its loaders.
Table 4. Orchestrator actions when executing in a process with the name of specific security software
Process name
Targeted software
Action
qqpcmgr.exe
qqpctray.exe
qqpcrtp.exe
Attempts to load the legitimate DLL <CURRENT_DIRECTORY>TAVinterface.dll to use the exported function CreateTaveInstance to obtain an interface. When calling a second function from the interface, it passes a file path as a parameter.
360safe.exe
360tray.exe
Attempts to load the legitimate DLL <CURRENT_DIRECTORY>deepscancloudcom2.dll to use the exported functions XDOpen, XDAddRecordsEx, and XDClose, it adds a new entry in the SQL database file speedmem2.hg.
360sd.exe
Attempts to open the file <CURRENT_DIRECTORY>sl2.db to adds a base64-encoded binary structure that contains the path to the loader DLL.
kxescore.exe
kxetray.exe
Attempts to load the legitimate DLL <CURRENT_DIRECTORY>securitykxescankhistory.dll to use the exported function KSDllGetClassObject to obtain an interface. When it calls one of the functions from the vtable, it passes a file path as a parameter.
Table 5 describes the actions taken when the process name matches that of selected instant-messaging software. In these cases, the orchestrator loads plugins from disk.
Table 5. Ochestrator actions when executing in a process with the name of specific instant-messaging software
Process name
Targeted software
Action
qq.exe
Attempts to create a mutex named GET QQ MESSAGE LOCK <PROCESS_ID>. If the mutex does not already exist, it loads the plugins c001.dat, c002.dat, and c003.dat from disk.
wechat.exe
Loads plugin c006.dat.
telegram.exe
Loads plugin c007.dat.
skype.exe
Loads plugin c003.dat.
cc.exe
Unknown; possibly CloudChat.
raidcall.exe
yy.exe
Unknown; possibly an application from YY social network.
aliim.exe
Loads plugin c005.dat.
After completing the corresponding actions, the thread returns.
Plugins group “c”
From our analysis of the orchestrator code, we understand that at least six plugins of the “c” group might exist, of which only three are known to us at this time.
Table 6 describes the basic functionality of the identified plugins.
Table 6. Description of the plugins from group “c”
Plugin name
Description
c001.dat
Steals information from QQ databases, including credentials, chat logs, contact lists, and more.
c002.dat
Hooks several functions from Tencent QQ’s KernelUtil.dll and Common.dll in the memory of the QQ.exe process, enabling interception of direct and group messages, and SQL queries to databases.
c003.dat
Hooks several APIs:
– CoCreateInstance
– waveInOpen
– waveInClose
– waveInAddBuffer
– waveOutOpen
– waveOutWrite
– waveOutClose
This enables the plugin to intercept audio conversations in several processes.
Backdoor
We have already shared several details on the basic purpose of the backdoor: to communicate with its controller and exfiltrate collected data. Communication with the controller is mostly based around writing plugin configuration data into an unencrypted file named license.dat, and invoking functionality from loaded plugins. Table 7 describes the most relevant commands handled by the backdoor.
Table 7. Description of some of the commands handled by the backdoor
Command ID
Description
0x04
Creates or closes a reverse shell and handles input and output.
0x17
Moves a file with paths provided by the controller.
0x1C
Uninstalls the implant.
0x1E
Collects file information from a specified directory, or collects drive’s information.
0x28
Terminates a process with a PID given by the controller.
Plugin groups “a” and “b”
The backdoor component contains its own embedded plugin DLLs (see Table 8) that are written to disk and give the backdoor its basic spying and information-collecting capabilities.
Table 8. Descriptions of plugin groups “a” and “b” embedded in the backdoor
Plugin name
Description
a010.dat
Collects installed software information from the registry.
b010.dat
Takes screenshots.
b011.dat
Basic keylogger.
Conclusion
We have analyzed attacks and capabilities from a threat actor that we have named Blackwood, which has carried out cyberespionage operations against individuals and companies from China, Japan, and the United Kingdom. We mapped the evolution of NSPX30, the custom implant deployed by Blackwood, all the way back to 2005 to a small backdoor we’ve named Project Wood.
Interestingly, the Project Wood implant from 2005 appears to be the work of developers with experience in malware development, given the techniques implemented, leading us to believe that we are yet to discover more about the history of the primordial backdoor.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
IOCs
Files
SHA-1
Filename
ESET detection name
Description
625BEF5BD68F75624887D732538B7B01E3507234
minibrowser_shell.dll
Win32/Agent.AFYI
NSPX30 initial dropper.
43622B9573413E17985B3A95CBE18CFE01FADF42
comx3.dll
Win32/Agent.AFYH
Loader for the installer.
240055AA125BD31BF5BA23D6C30133C5121147A5
msnsp.dll
Win32/Agent.AFYH
Persistent loader.
308616371B9FF5830DFFC740318FD6BA4260D032
mshlp.dll
Win32/Agent.AFYH
Loader for the orchestrator.
796D05F299F11F1D78FBBB3F6E1F497BC3325164
comx3.dll.txt
Win32/TrojanDropper.Agent.SWR
Decrypted installer.
82295E138E89F37DD0E51B1723775CBE33D26475
WIN.cfg
Win32/Agent.AFYI
Decrypted orchestrator.
44F50A81DEBF68F4183EAEBC08A2A4CD6033DD91
msfmtkl.dat
Win32/Agent.VKT
Decrypted backdoor.
DB6AEC90367203CAAC9D9321FDE2A7F2FE2A0FB6
c001.dat
Win32/Agent.AFYI
Credentials and data stealer plugin.
9D74FE1862AABAE67F9F2127E32B6EFA1BC592E9
c002.dat
Win32/Agent.AFYI
Tencent QQ message interception plugin.
8296A8E41272767D80DF694152B9C26B607D26EE
c003.dat
Win32/Agent.AFYI
Audio capture plugin.
8936BD9A615DD859E868448CABCD2C6A72888952
a010.dat
Win32/Agent.VKT
Information collector plugin.
AF85D79BC16B691F842964938C9619FFD1810C30
b011.dat
Win32/Agent.VKT
Keylogger plugin.
ACD6CD486A260F84584C9FF7409331C65D4A2F4A
b010.dat
Win32/Agent.VKT
Screen capture plugin.
Network
IP
Domain
Hosting provider
First seen
Details
104.193.88[.]123
www.baidu[.]com
Beijing Baidu Netcom Science and Technology Co., Ltd.
2017‑08‑04
Legitimate website contacted by the orchestrator and backdoor components to download payloads. The HTTP GET request is intercepted by AitM.
183.134.93[.]171
dl_dir.qq[.]com
IRT‑CHINANET‑ZJ
2021‑10‑17
Part of the URL from where the dropper was downloaded by legitimate software.
MITRE ATT&CK techniques
This table was built using version 14 of the MITRE ATT&CK framework.
Tactic
ID
Name
Description
Resource Development
Develop Capabilities: Malware
Blackwood used a custom implant called NSPX30.
Initial Access
Supply Chain Compromise
NSPX30’s dropper component is delivered when legitimate software update requests are intercepted via AitM.
Execution
Command and Scripting Interpreter: PowerShell
NSPX30’s installer component uses PowerShell to disable Windows Defender’s sample submission, and adds an exclusion for a loader component.
Command and Scripting Interpreter: Windows Command Shell
NSPX30’s installer can use cmd.exe when attempting to bypass UAC.
NSPX30’s backdoor can create a reverse shell.
Command and Scripting Interpreter: Visual Basic
NSPX30’s installer can use VBScript when attempting to bypass UAC.
Native API
NSPX30’s installer and backdoor use CreateProcessA/W APIs to execute components.
Persistence
Hijack Execution Flow
NSPX30’s loader is automatically loaded into a process when Winsock is started.
Privilege Escalation
Event Triggered Execution
NSPX30’s installer modifies the registry to change a media button key value (APPCOMMAND_LAUNCH_APP2) to point to its loader executable.
Abuse Elevation Control Mechanism: Bypass User Account Control
NSPX30’s installer uses three techniques to attempt UAC bypasses.
Defense Evasion
Deobfuscate/Decode Files or Information
NSPX30’s installer, orchestrator, backdoor, and configuration files are decrypted with RC4, or combinations of bitwise and arithmetic instructions.
Impair Defenses: Disable or Modify Tools
NSPX30’s installer disables Windows Defender’s sample submission, and adds an exclusion for a loader component.
NSPX30’s orchestrator can alter the databases of security software to allowlist its loader components. Targeted software includes: Tencent PC Manager, 360 Safeguard, 360 Antivirus, and Kingsoft AntiVirus.
Indicator Removal: File Deletion
NSPX30 can remove its files.
Indicator Removal: Clear Persistence
NSPX30 can remove its persistence.
Indirect Command Execution
NSPX30’s installer executes PowerShell through Windows’ Command Shell.
Masquerading: Match Legitimate Name or Location
NSPX30’s components are stored in the legitimate folder %PROGRAMDATA%Intel.
Modify Registry
NSPX30’s installer can modify the registry when attempting to bypass UAC.
Obfuscated Files or Information
NSPX30’s components are stored encrypted on disk.
Obfuscated Files or Information: Embedded Payloads
NSPX30’s dropper contains embedded components.
NSPX30’s loader contains embedded shellcode.
System Binary Proxy Execution: Rundll32
NSPX30’s installer can be loaded through rundll32.exe.
Credential Access
Adversary-in-the-Middle
The NSPX30 implant is delivered to victims through AitM attacks.
Credentials from Password Stores
NSPX30 plugin c001.dat can steal credentials from Tencent QQ databases.
Discovery
File and Directory Discovery
NSPX30’s backdoor and plugins can list files.
Query Registry
NSPX30 a010.dat plugin collects various information of installed software from the registry.
Software Discovery
NSPX30 a010.dat plugin collects information from the registry.
System Information Discovery
NSPX30’s backdoor collects system information.
System Network Configuration Discovery
NSPX30’s backdoor collects various network adapter information.
System Network Connections Discovery
NSPX30’s backdoor collects network adapter information.
System Owner/User Discovery
NSPX30’s backdoor collects system and user information.
Collection
Input Capture: Keylogging
NSPX30 plugin b011.dat is a basic keylogger.
Archive Collected Data: Archive via Library
NSPX30 plugins compress collected information using zlib.
Audio Capture
NSPX30 plugin c003.dat records input and output audio streams.
Automated Collection
NSPX30’s orchestrator and backdoor automatically launch plugins to collect information.
Data Staged: Local Data Staging
NSPX30’s plugins store data in local files before exfiltration.
Screen Capture
NSPX30 plugin b010.dat takes screenshots.
Command and Control
Application Layer Protocol: Web Protocols
NSPX30’s orchestrator and backdoor components download payloads using HTTP.
Application Layer Protocol: DNS
NSPX30’s backdoor exfiltrates the collected information using DNS.
Data Encoding: Standard Encoding
Collected data for exfiltration is compressed with zlib.
Data Obfuscation
NSPX30’s backdoor encrypts its C&C communications.
Non-Application Layer Protocol
NSPX30’s backdoor uses UDP for its C&C communications.
Proxy
NSPX30’s communications with its C&C server are proxied by an unidentified component.
Exfiltration
Automated Exfiltration
When available, NSPX30’s backdoor automatically exfiltrates any collected information.
Data Transfer Size Limits
NSPX30’s backdoor exfiltrates collected data via DNS queries with a fixed packet size.
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
NSPX30’s backdoor exfiltrates the collected information using DNS.