Chinese Hackers Hijack Software Updates to Install Malware Since 2005

In order to obtain unauthorized access and control, hackers take advantage of software vulnerabilities by manipulating updates.

By corrupting the updates, hackers can disseminate malware, compromise user data, and build backdoors for future attacks.

This enables hackers to compromise a large user base at once, making the software upgrades a luring target for malicious activities.

Cybersecurity researchers at ESET recently identified that Chinese hackers have been actively targeting and hacking software updates to install malware since 2005.

Chinese Hackers Hijack Software Updates

ESET found China-linked threat actor Blackwood behind a cyberattack since 2018. They use AitM attacks to deliver NSPX30 implants through software updates by targeting Chinese and Japanese entities.

Blackwood hides the C2 server location by intercepting NSPX30-generated traffic.

In 2020, a Chinese system was hit by a surge of attacks from Evasive Panda, LuoYu, and LittleBear. Security analysts found a new threat, NSPX30, traced back to 2005 amid suspicious files, and it’s been discovered via a deep investigation.                    

Evolution starts with a 2005 backdoor, Project Wood, which was found via timestamps. Researchers validate authenticity through the metadata of the PE header, UPX version, and Rich Headers. 

Project Wood served as a codebase that led to DCM in 2008. Tencent’s 2016 report details DCM’s advanced variant, exploiting AitM capabilities. 

The compromises occur during legit software updates via unencrypted HTTP that affects the popular Chinese software.

Cybersecurity researchers at ESET found IP addresses linked to legitimate software firms in their telemetry. Millions of connections were registered, with downloads of genuine software components. 

How NSPX30 is delivered as malicious updates is unknown. Speculation points to a network implant, possibly on vulnerable devices like routers. 

However, no DNS redirection hints at intercepting unencrypted HTTP traffic for delivering the NSPX30 implant.

Orchestrator uses Baidu’s site to download backdoor, posing as Internet Explorer on Windows 98. Custom User-Agent and Request-URI reveal orchestrator and system info. 

While the backdoor initializes the UDP socket, facing complications with firewalls and NAT. Data exfiltration via DNS queries to Microsoft[.]com takes place and cleverly hides C&C location using AitM capability.

Victims in Japan and the UK were targeted via the AitM system. Blackwood threat actors have been observed since 2005 and have been constantly evolving from Project Wood. The history of the primordial backdoor, Project Wood, hints at experienced malware developers.