Cybersecurity firm ESET released a report on a previously undiscovered China-based threat actor that conducted a series of adversary-in-the-middle (AitM) attacks. The AitM attacks targeted Chinese and Japanese manufacturing, trading, and engineering companies through legitimate update requests from software such as Tencent QQ, Sogou Pinyin, and WPS Office. The threat actor, called Blackwood, inserted a sophisticated implant called NSPX30 into the update process when users attempted to download software updates from legitimate servers using the unencrypted HTTP protocol. A series of executable files and dynamic-link libraries downloaded the backdoor and its plugins from the legitimate Chinese search engine Baidu. The initialization phase also created a passive UDP listening socket to receive commands from the controller and exfiltrate data. The backdoor is capable of collecting file information, taking screenshots, logging keystrokes, terminating certain processes, and even uninstalling itself if necessary.

Read More:

https://thehackernews.com/2024/01/china-backed-hackers-hijack-software.html