Thursday, October 10, 2024
Homecyber securityChinese Hackers Hijack Software Updates to Install Malware Since 2005

Chinese Hackers Hijack Software Updates to Install Malware Since 2005

Published on

In order to obtain unauthorized access and control, hackers take advantage of software vulnerabilities by manipulating updates.

By corrupting the updates, hackers can disseminate malware, compromise user data, and build backdoors for future attacks.

This enables hackers to compromise a large user base at once, making the software upgrades a luring target for malicious activities.

- Advertisement - EHA

Cybersecurity researchers at ESET recently identified that Chinese hackers have been actively targeting and hacking software updates to install malware since 2005.

Chinese Hackers Hijack Software Updates

ESET found China-linked threat actor Blackwood behind a cyberattack since 2018. They use AitM attacks to deliver NSPX30 implants through software updates by targeting Chinese and Japanese entities.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Blackwood hides the C2 server location by intercepting NSPX30-generated traffic.

In 2020, a Chinese system was hit by a surge of attacks from Evasive Panda, LuoYu, and LittleBear. Security analysts found a new threat, NSPX30, traced back to 2005 amid suspicious files, and it’s been discovered via a deep investigation.                    

Timeline (Source – ESET)

Evolution starts with a 2005 backdoor, Project Wood, which was found via timestamps. Researchers validate authenticity through the metadata of the PE header, UPX version, and Rich Headers. 

Project Wood served as a codebase that led to DCM in 2008. Tencent’s 2016 report details DCM’s advanced variant, exploiting AitM capabilities. 

The compromises occur during legit software updates via unencrypted HTTP that affects the popular Chinese software.

Chain of execution (Source – ESET)

Cybersecurity researchers at ESET found IP addresses linked to legitimate software firms in their telemetry. Millions of connections were registered, with downloads of genuine software components. 

How NSPX30 is delivered as malicious updates is unknown. Speculation points to a network implant, possibly on vulnerable devices like routers. 

However, no DNS redirection hints at intercepting unencrypted HTTP traffic for delivering the NSPX30 implant.

Orchestrator uses Baidu’s site to download backdoor, posing as Internet Explorer on Windows 98. Custom User-Agent and Request-URI reveal orchestrator and system info. 

While the backdoor initializes the UDP socket, facing complications with firewalls and NAT. Data exfiltration via DNS queries to Microsoft[.]com takes place and cleverly hides C&C location using AitM capability.

Geographical distribution (Source – ESET)

Victims in Japan and the UK were targeted via the AitM system. Blackwood threat actors have been observed since 2005 and have been constantly evolving from Project Wood. The history of the primordial backdoor, Project Wood, hints at experienced malware developers.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...