Threat Research

NSPX30: A sophisticated AitM-enabled implant evolving since 2005

ESET-welivesecurity

ESET describes a China-aligned APT they name Blackwood that delivers a multistage implant called NSPX30 by hijacking unencrypted software update HTTP requests (AitM). The implant installs a Winsock namespace provider for persistence, fetches and decrypts payloads from legitimate sites, loads plugins to harvest chats, audio, keys and screenshots, and exfiltrates data via DNS/UDP while allowing itself in some Chinese antimalware products. #NSPX30 #Blackwood

Keypoints

  • NSPX30 is delivered via adversary-in-the-middle (AitM) interception of unencrypted update requests for legitimate Chinese software (e.g., Tencent QQ, WPS Office, Sogou Pinyin).
  • The implant evolved from a 2005 backdoor dubbed Project Wood through an intermediate called DCM, with samples traced to 2018 and later.
  • Delivery likely relies on a network-level implant that intercepts HTTP/UDP/DNS traffic and forges responses to hide attacker infrastructure.
  • Execution is multistage: dropper → loader (comx3.dll) → installer (UAC bypass, Defender exclusions) → persistent Winsock namespace provider (msnsp.dll) → orchestrator → backdoor and plugins.
  • Orchestrator downloads encrypted payloads (via HTTP to legitimate sites using a peculiar User-Agent), writes encrypted files (msfmtkl.dat / WIN.cfg), decrypts with RC4, and loads plugins to collect data.
  • Backdoor and plugins collect credentials, QQ chats, audio capture, screenshots and keystrokes; exfiltration uses DNS queries and UDP with fixed-size packets; communications are proxied by an intercepted component to anonymize C2.
  • Orchestrator can modify local databases or add exclusions to allowlist its loader in several Chinese antimalware products (Tencent, 360, Kingsoft).

MITRE Techniques

  • [T1587.001] Develop Capabilities: Malware – NSPX30 is a custom implant: ‘Blackwood used a custom implant called NSPX30.’
  • [T1195] Supply Chain Compromise – NSPX30’s dropper is delivered via intercepted software updates: ‘NSPX30’s dropper component is delivered when legitimate software update requests are intercepted via AitM.’
  • [T1059.001] PowerShell – Installer uses PowerShell to change Defender settings: ‘NSPX30’s installer component uses PowerShell to disable Windows Defender’s sample submission, and adds an exclusion for a loader component.’
  • [T1059.003] Windows Command Shell – Installer uses cmd.exe for UAC bypass and reverse shell creation: ‘NSPX30’s installer can use cmd.exe when attempting to bypass UAC. NSPX30’s backdoor can create a reverse shell.’
  • [T1059.005] Visual Basic – Installer can use VBScript for UAC bypass: ‘NSPX30’s installer can use VBScript when attempting to bypass UAC.’
  • [T1106] Native API – Uses CreateProcess APIs to execute components: ‘NSPX30’s installer and backdoor use CreateProcessA/W APIs to execute components.’
  • [T1574] Hijack Execution Flow – Loader auto-loads when Winsock is started: ‘NSPX30’s loader is automatically loaded into a process when Winsock is started.’
  • [T1546] Event Triggered Execution – Installer modifies a media button registry value for execution: ‘NSPX30’s installer modifies the registry to change a media button key value (APPCOMMAND_LAUNCH_APP2) to point to its loader executable.’
  • [T1548.002] Bypass UAC – Installer uses multiple UAC bypass techniques: ‘NSPX30’s installer uses three techniques to attempt UAC bypasses.’
  • [T1140] Deobfuscate/Decode Files or Information – Components and configs are decrypted (RC4/bitwise): ‘NSPX30’s installer, orchestrator, backdoor, and configuration files are decrypted with RC4, or combinations of bitwise and arithmetic instructions.’
  • [T1562.001] Disable or Modify Tools – Disables Defender submissions and alters AV databases to allowlist loaders: ‘NSPX30’s installer disables Windows Defender’s sample submission, and adds an exclusion for a loader component… orchestrator can alter the databases of security software to allowlist its loader components.’
  • [T1070.004] File Deletion – NSPX30 can remove its files: ‘NSPX30 can remove its files.’
  • [T1070.009] Clear Persistence – NSPX30 can remove its persistence: ‘NSPX30 can remove its persistence.’
  • [T1202] Indirect Command Execution – Installer runs PowerShell through cmd.exe: ‘NSPX30’s installer executes PowerShell through Windows’ Command Shell.’
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Components stored in legitimate folders: ‘NSPX30’s components are stored in the legitimate folder %PROGRAMDATA%Intel.’
  • [T1112] Modify Registry – Installer modifies registry when attempting UAC bypass: ‘NSPX30’s installer can modify the registry when attempting to bypass UAC.’
  • [T1027] Obfuscated Files or Information – Components are stored encrypted on disk: ‘NSPX30’s components are stored encrypted on disk.’
  • [T1027.009] Embedded Payloads – Dropper and loader contain embedded payloads/shellcode: ‘NSPX30’s dropper contains embedded components. NSPX30’s loader contains embedded shellcode.’
  • [T1218.011] Rundll32 – Installer can be loaded through rundll32.exe: ‘NSPX30’s installer can be loaded through rundll32.exe.’
  • [T1557] Adversary-in-the-Middle – Delivery via AitM attacks: ‘The NSPX30 implant is delivered to victims through AitM attacks.’
  • [T1555] Credentials from Password Stores – Plugin steals QQ credentials: ‘NSPX30 plugin c001.dat can steal credentials from Tencent QQ databases.’
  • [T1083] File and Directory Discovery – Backdoor/plugins can list files: ‘NSPX30’s backdoor and plugins can list files.’
  • [T1012] Query Registry – a010.dat collects installed software info from registry: ‘NSPX30 a010.dat plugin collects various information of installed software from the registry.’
  • [T1518] Software Discovery – a010.dat collects software info: ‘NSPX30 a010.dat plugin collects information from the registry.’
  • [T1082] System Information Discovery – Backdoor collects system info: ‘NSPX30’s backdoor collects system information.’
  • [T1016] System Network Configuration Discovery – Backdoor collects network adapter info: ‘NSPX30’s backdoor collects various network adapter information.’
  • [T1049] System Network Connections Discovery – Backdoor collects network connections info: ‘NSPX30’s backdoor collects network adapter information.’
  • [T1033] System Owner/User Discovery – Backdoor collects user/system owner info: ‘NSPX30’s backdoor collects system and user information.’
  • [T1056.001] Keylogging – b011.dat is a keylogger: ‘NSPX30 plugin b011.dat is a basic keylogger.’
  • [T1560.002] Archive via Library – Plugins compress data with zlib: ‘NSPX30 plugins compress collected information using zlib.’
  • [T1123] Audio Capture – c003.dat records audio streams: ‘NSPX30 plugin c003.dat records input and output audio streams.’
  • [T1119] Automated Collection – Orchestrator/backdoor auto-launch plugins: ‘NSPX30’s orchestrator and backdoor automatically launch plugins to collect information.’
  • [T1074.001] Local Data Staging – Plugins store data locally before exfiltration: ‘NSPX30’s plugins store data in local files before exfiltration.’
  • [T1113] Screen Capture – b010.dat takes screenshots: ‘NSPX30 plugin b010.dat takes screenshots.’
  • [T1071.001] Web Protocols (HTTP) – Orchestrator/backdoor download payloads using HTTP: ‘NSPX30’s orchestrator and backdoor components download payloads using HTTP.’
  • [T1071.004] DNS – Backdoor exfiltrates using DNS queries: ‘NSPX30’s backdoor exfiltrates the collected information using DNS.’
  • [T1132.001] Standard Encoding – Collected data is compressed with zlib: ‘Collected data for exfiltration is compressed with zlib.’
  • [T1001] Data Obfuscation – Backdoor encrypts C2 communications: ‘NSPX30’s backdoor encrypts its C&C communications.’
  • [T1095] Non-Application Layer Protocol – Backdoor uses UDP for C2: ‘NSPX30’s backdoor uses UDP for its C&C communications.’
  • [T1090] Proxy – Communications are proxied by an unidentified component: ‘NSPX30’s communications with its C&C server are proxied by an unidentified component.’
  • [T1020] Automated Exfiltration – Backdoor automatically exfiltrates when available: ‘When available, NSPX30’s backdoor automatically exfiltrates any collected information.’
  • [T1030] Data Transfer Size Limits – Exfiltration via DNS uses fixed packet size: ‘NSPX30’s backdoor exfiltrates collected data via DNS queries with a fixed packet size.’
  • [T1048.003] Exfiltration Over Unencrypted Non-C2 Protocol (DNS) – Exfiltration uses DNS: ‘NSPX30’s backdoor exfiltrates the collected information using DNS.’

Indicators of Compromise

  • [File Hashes] NSPX30 samples – 625BEF5BD68F75624887D732538B7B01E3507234 (minibrowser_shell.dll), 240055AA125BD31BF5BA23D6C30133C5121147A5 (msnsp.dll), and 10 more hashes.
  • [Filenames] Malicious components on disk – msnsp.dll (persistent Winsock NSP), comx3.dll (loader).
  • [Domains] Legitimate sites abused as download fronts – www.baidu.com (orchestrator/backdoor HTTP fetch), dl_dir.qq[.]com (dropper download URL).
  • [IP Addresses] Observed network endpoints – 104.193.88[.]123 (www.baidu.com resolved IP used in interception), 183.134.93[.]171 (dl_dir.qq[.]com resolved IP for dropper delivery).

NSPX30 is delivered by intercepting unencrypted HTTP update requests for popular Chinese software; a network-level implant (likely on routers/gateways) inspects outbound GET requests (notably requests to www.baidu.com with a legacy IE/Win98 User-Agent and custom Request-URI) and responds with a malicious dropper DLL, executable or ZIP to replace legitimate updates. The attackers also intercept DNS and UDP traffic from the implanted host to proxy and forward exfiltrated packets to their servers, enabling C2 anonymization.

On the host the delivered dropper side-loads comx3.dll via a legitimate RsStub.exe process; shellcode inside the loader decrypts an installer (comx3.dll.txt), which uses open-source UAC bypass techniques to create an elevated process, disables Windows Defender sample submission and adds an exclusion, drops msnsp.dll to C:Program Files (x86)Common Filesmicrosoft sharedTextConv and installs it as a Winsock namespace provider (WSCInstallNameSpace) for persistence. The installer also writes loader and orchestrator components (mshlp.dll, WIN.cfg) to C:ProgramDataWindows.

When msnsp.dll is loaded it runs an orchestrator with two threads: one removes the original dropper, fetches an encrypted payload from legitimate web servers (saving and validating the response), writes it as msfmtkl.dat, decrypts with RC4 and loads the backdoor PE into memory; the other thread inspects process names to load plugins or modify local AV/databases to allowlist loaders (targets include Tencent PC Manager, 360 Safeguard/Antivirus, Kingsoft). Plugins provide QQ credential and message theft (c001/c002), audio capture (c003), screenshots (b010), keylogging (b011), and registry/software discovery (a010). The backdoor creates a passive UDP socket and exfiltrates collected data by appending it to DNS queries (e.g., microsoft.com) and using incrementing destination IPs in the 180.76.76.0/24 space; a network interceptor recognizes fingerprinted requests and forwards them to attacker infrastructure, keeping the true C2 hidden.

Read more: https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint