## NSPX30 ###### A sophisticated AitM-enabled implant evolving since 2005 Facundo Munoz Malware Researcher ----- ##### Facundo Munoz ###### • Malware Researcher at ESET since 2021 • Hunting and analysing APT malware facundo.munoz@eset.com ----- ##### Agenda ###### Discovery of the NSPX30 implant Our research, evolution of NSPX30 and attribution to Blackwood APT Case study of an initial access via AitM The NSPX30 implant and its features The China-aligned AitM club Conclusion ----- ###### Threat magnet comx3.dll msnsp.dll comx3.dll • Evasive Panda NSPX30 implant components • LuoYu • LittleBear ----- ###### The NSPX30 implant drops executes loads loads Dropper RsStub.exe comx3.dll comx3.dll.txt index.dat establishes persistence Embedded plugins drops loads download executes loads loads and load Legitimate Plugins msnsp.dll mshlp.dll WIN.cfg msfmtkl.dat process downloads loads ----- ### Malware paleontology ----- |Col1|First and last known sample of NSPX30|Col3| |---|---|---| ||NSPX30 detected in ESET telemetry|| |||| ###### Timeline of NSPX30 and its ancestors First and last known sample of NSPX30 First and last known sample of DCM (aka Dark Specter) First and last known sample of Project Wood NSPX30 detected in ESET telemetry 2005 2008 2013 2014 2018 2019 2020 2022 2023 2024 ----- ###### Compilation timestamps, to trust or not to trust Project Wood backdoor Compiled on MainFuncOften.dll 2005-01-09 08:21:22 Project Wood dropper Compiled on Unknown file name  2005-01-09 08:21:39 ----- ###### Compilation timestamps, to trust or not to trust Project Wood backdoor Compiled on MainFuncOften.dll 2005-01-09 08:21:22 17 seconds difference! Project Wood dropper Compiled on Unknown file name  2005-01-09 08:21:39 ----- ###### UPX version Dropper ``` 000003D0 00 00 00 00 00 00 00 00 00 00 00 31 2E 32 34 00 ...........1.24. 000003E0 55 50 58 21 0C 09 05 09 C6 BF B8 96 B6 DB 30 81 UPX!....¿¸–¶Û0.. 000003F0 E7 39 04 00 0D 48 01 00 00 20 04 00 26 0A 00 29 ç9...H......&..) 00000400 7F FF FF FF 51 53 55 56 8B 35 1C C0 40 00 8D 44 .ÿÿÿQSUV‹5.À@..D 00000410 24 0C 57 50 68 06 00 02 00 BD B4 E0 1F 6A 00 55 $.WPh....½´à.j.U 00000420 68 ED B7 ED 7F 15 00 80 FF D6 8B 3D 20 3E 68 AC hí·í...€ÿÖ‹=.>h¬ 00000430 28 FF 74 24 14 FF D7 0A 10 91 B7 B5 ED 8B 1D 24 (ÿt$.ÿ×..‘·µí‹.$ UPX 1.24 was released in 2003 ``` ----- ###### Rich header metadata Visual Studio 6.0 was released in 1998 Assessment: high confidence that is unlikely that attackers modified all these indicators. ----- ###### Project Wood aka PeerWoodCOften Dropper ``` 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 ................ 00000010 50 00 65 00 65 00 72 00 57 00 6F 00 6F 00 64 00 P.e.e.r.W.o.o.d. 00000020 43 00 4F 00 66 00 74 00 65 00 6E 00 00 00 00 00 C.O.f.t.e.n..... 00000030 0C 00 48 00 65 00 6C 00 6C 00 6F 00 20 00 57 00 ..H.e.l.l.o...W. 00000040 6F 00 72 00 6C 00 64 00 21 00 00 00 00 00 0E 00 o.r.l.d.!....... 00000050 50 00 45 00 45 00 52 00 57 00 4F 00 4F 00 44 00 P.E.E.R.W.O.O.D. 00000060 43 00 4F 00 46 00 54 00 45 00 4E 00 00 00 00 00 C.O.F.T.E.N..... ``` ----- ###### PeerYou RAT Open sourced in 2001 Possibly of Chinese origin Still around in Chinese websites Many variants ----- ###### Timeline of publications about NSPX30 s ancestors ----- |First and last known sample of NSPX30 NSPX30 detected in ESET telemetry|Col2|Col3| |---|---|---| |||| ###### Timeline of publications about NSPX30 s ancestors First and last known sample of NSPX30 First and last known sample of DCM (aka Dark Specter) First and last known sample of Project Wood NSPX30 detected in ESET telemetry 2011 2016 2005 2008 2013 2018 2019 2020 2022 2023 2024 First public report on Project Wood by Frankie Li ----- |First and last known sample of NSPX30 NSPX30 detected in ESET telemetry|Col2|Col3| |---|---|---| |||| ###### Timeline of publications about NSPX30 s ancestors First and last known sample of NSPX30 First and last known sample of DCM (aka Dark Specter) First and last known sample of Project Wood NSPX30 detected in ESET telemetry 2011 2012 2014 2016 2005 2008 2013 2018 2019 2020 2022 2023 2024 First public report on Project Wood by Frankie Li First public report on DCM by Jianming ----- |First and last known sample of NSPX30 NSPX30 detected in ESET telemetry|Col2|Col3| |---|---|---| |||| ###### Timeline of publications about NSPX30 s ancestors First and last known sample of NSPX30 First and last known sample of DCM (aka Dark Specter) First and last known sample of Project Wood NSPX30 detected in ESET telemetry 2011 2012 2014 2016 2005 2008 2013 2018 2019 2020 2022 2023 2024 G DATA publishes report about Operation TooHash First public report on Project Wood by Frankie Li First public report on DCM by Jianming ----- |First and last known sample of NSPX30 NSPX30 detected in ESET telemetry|Col2| |---|---| ||| ###### Timeline of publications about NSPX30 s ancestors First and last known sample of NSPX30 First and last known sample of DCM (aka Dark Specter) First and last known sample of Project Wood NSPX30 detected in ESET telemetry 2011 2012 2014 2016 2005 2008 2013 2018 2019 2020 2022 2023 2024 G DATA publishes report about Operation TooHash First public report on Project Wood by Tencent publishes Frankie Li a report on DCM/Dark Specter First public report on DCM by Jianming ----- ###### Timeline of publications about NSPX30 s ancestors First and last known sample of NSPX30 First and last known sample of DCM (aka Dark Specter) First and last known sample of Project Wood NSPX30 detected in ESET telemetry 2011 2012 2014 2016 2005 2008 2013 2018 2019 2020 2022 2023 2024 G DATA publishes report about Operation TooHash First public report on Project Wood by Tencent publishes NSPX30 cluster Frankie Li a report on tracked as DCM/Dark Specter Blackwood First public report on DCM by Jianming ----- ###### Targeted regions Sectors Blackwood profile Japan China United Kingdom Manufacturing Individuals Toolkit NSPX30 AitM ----- ###### United Kingdom an individual ----- ###### United Kingdom an individual China individuals a manufacturing and trading company a Japanese engineering and manufacturing corporation ----- ###### United Kingdom an individual Japan individuals China individuals a manufacturing and trading company a Japanese engineering and manufacturing corporation ----- ### How Blackwood uses AitM? ----- ###### What we observed on victim machines Tencent QQ software http://dl_dir.qq.com/invc/qq/minibrowser.zip (183.134.93.142) 1. updates from Legitimate server Tencentdl.exe QQ.exe ----- ###### What we observed on victim machines Tencent QQ software http://dl_dir.qq.com/invc/qq/minibrowser.zip (183.134.93.142) 1. updates from 2. writes to disk Legitimate server Tencentdl.exe minibrowser_shell.dll QQ.exe ----- ###### What we observed on victim machines Tencent QQ software http://dl_dir.qq.com/invc/qq/minibrowser.zip (183.134.93.142) 1. updates from 2. writes to disk Legitimate server Tencentdl.exe minibrowser_shell.dll 3. loads DLL QQ.exe ----- ###### Successfully hijacked software updates by Blackwood and others! Sogou Pinyin WPS Office Tencent QQ ----- ###### Successfully hij… ----- # MISSION FAILURE ----- ###### What we learned from the attacks Initial access NSPX30 dropper downloaded through HTTP by legitimate software. ----- ###### What we learned from the attacks ###### Initial access NSPX30 dropper downloaded through HTTP by legitimate software. ###### Legitimate servers IP address associated to domains were from legitimate infrastructure. ----- ###### What we learned from the attacks ###### Initial access NSPX30 dropper downloaded through HTTP by legitimate software. ###### Legitimate servers IP address associated to domains were from legitimate infrastructure. ###### Flexible dropper NSPX30 dropper can be DLL/EXE, if required: in ZIP archive. ----- ### The NSPX30 and its design ----- ###### NSPX30 main features ###### Reliance on AitM NSPX30 dropper component is delivered via hijacked updates. Communicates with its infrastructure through AitM. ----- ###### NSPX30 main features ###### msnsp.dll ###### Reliance on AitM NSPX30 dropper component is delivered via hijacked updates. Communicates with its infrastructure through AitM. ###### Persistence Loader persisted as a Winsock Namespace Package (NSP) DLL. Malicious DLL is automatically loaded into processes that use Winsock. ----- ###### NSPX30 main features ###### msnsp.dll ###### Reliance on AitM NSPX30 dropper component is delivered via hijacked updates. Communicates with its infrastructure through AitM. ###### Persistence Loader persisted as a Winsock Namespace Package (NSP) DLL. Malicious DLL is automatically loaded into processes that use Winsock. ###### Highly modular Composed of many components: loaders, orchestrator, backdoor, and three groups of plugins. ----- ###### Orchestrator main functionality Orchestrator starts starts Thread 2 Thread 1 ----- ###### Orchestrator main functionality Orchestrator starts starts Thread 2 Thread 1 downloads drops and backdoor loads Baidu website Backdoor ----- ###### Orchestrator main functionality Orchestrator starts starts Thread 2 Thread 1 downloads drops and loads performs backdoor loads Baidu website Backdoor Plugins Allowlisting ----- |c001.dat c002.dat c003.dat|c005.dat c006.dat c007.dat| |---|---| ###### Orchestrator plugins Backdoor Orchestrator downloads loads c001.dat c002.dat c003.dat c005.dat c006.dat c007.dat Found! ☺ Not found  ----- ###### Orchestrator plugins Plugin c001.dat Plugin c002.dat ----- ###### Orchestrator plugins Plugin c001.dat Plugin c002.dat decrypts decrypt DBs key from Registry.db QQ databases ----- ###### Orchestrator plugins Plugin c001.dat Plugin c002.dat hooks functions decrypts in memory decrypt DBs key from issues SQL statements Registry.db QQ databases Common.dll KernelUtil.dll (SQL functions) (Msg functions) ----- ###### Orchestrator plugins Input stream APIs • waveInOpen • waveInAddBuffer • waveInClose Plugin c003.dat Output stream APIs • waveOutOpen winmm.dll • waveOutWrite • waveOutClose CoCreateInstance -> IMMDeviceEnumerator ole32.db ----- ###### Allowlisting in security software ###### Tencent PC Manager ###### 360 Safeguard And Antivirus ###### Kingsoft Antivirus ----- ###### Allowlisting in Tencent PC Manager Loaders Orchestrator Or… msnsp.dll mshlp.dll WIN.cfg Used by NSPX30 ----- ###### Target: 360 Antivirus Target: 360 Safeguard sl2.db mshlp.dll msnsp.dll ----- ###### Allowlisting in Kingsoft Antivirus msnsp.dll ----- ###### Bonus mention: allowlisting in Windows Defender ----- |at )|Col2| |---|---| ||| ||| ||| ||| ||| ||| ###### Overview of the backdoor’s functionality a010.dat b010.dat b011.dat Gather system information Extracts embedded plugins msfmtkl.dat (Backdoor) Load plugins from disk Configure plugins Download plugins Communicate with C&C AitM Exfiltrate collected data ----- ### Anonymizing the attacker’s infrastructure via AitM ----- ###### How we believe Blackwood operates Local network Blackwood Unknown Router network implant ----- ###### How we believe Blackwood operates Local network Tencent QQ Traffic from server unencrypted update protocol Router NSPX30 http://dl_dir.qq.com/invc/qq/minibrowser.zip (183.134.93.142) ----- ###### How we believe Blackwood operates NSPX30 packets are Local network forwarded to the real attacker’s infra NSPX30 packets appear legitimate. ----- ###### Downloading components http://www.baidu.com Fingerprint /id=&ad=32&os=.&t= Mozilla/4.0 (compatible;MSIE 5.0; Windows 98) ----- ###### UDP interception Fingerprint DNS server at 180.76.76.11/24 Port: 53, 4499, 8000 Transaction ID always 0xFEAD Domain: microsoft.com Appended data to exfiltrate ----- ###### UDP interception Beginning at 180.76.76.11 Port: 53 or 4499 or 8000 ----- ###### Baidu DNS is at 180.76.76.76 ----- ###### What about ISP infrastructure compromise? ----- ###### What about ISP compromise? Global reach Not all targets are located in China. ----- ###### Global reach ###### What about ISP compromise? Not always China ###### Not all targets are located in China. ###### Some servers from Baidu network 186.76.76.0/24 are anycast: they could be geolocated around the world. ----- ###### Reliability ###### Global reach ###### What about ISP compromise? Not always China! ###### Not all targets are located in China. ###### Some servers from Baidu network 186.76.76.0/24 are anycast: they could be geolocated around the world. ###### AitM mechanism appears to be reliable. Exfiltration requires A LOT of packets. ###### Assessment: ISP compromise for AitM is unlikely. ----- ### The China-aligned AitM club ----- ----- ###### China-aligned APTs with AitM capability tracked by ESET Evasive Panda LittleBear LuoYu Blackwood AitM via compromised network device, or ISP? We don’t know. AitM working outside of China networks? Yes. ###### The update hijacking mechanism seems suspiciously similar for all four clusters ----- ###### TheWizards APT Targeted regions Sectors Philippines Hong Kong UAE China Gambling Individuals Toolkit WizardNet DarkNights Spellbinder ----- ###### TheWizards APT Targeted regions Sectors Philippines Hong Kong UAE China Gambling Individuals Toolkit Spellbinder: lateral movement tool that performs AitM via IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing attack WizardNet DarkNights Spellbinder ----- ----- ###### TheWizards approach to AitM ICMPv6 RA message Preffix: 2001:db8::/64 RDNSS: 240e:56:4000:8000::11 240e:56:4000:8000::22 Spellbinder Victim ----- ###### TheWizards approach to AitM ICMPv6 RA message Preffix: 2001:db8::/64 RDNSS: 240e:56:4000:8000::11 240e:56:4000:8000::22 Spellbinder Victim ----- ###### TheWizards approach to AitM ICMPv6 RA message Preffix: 2001:db8::/64 RDNSS: 240e:56:4000:8000::11 240e:56:4000:8000::22 DNS query get.sogou.com Spellbinder Victim ----- ###### TheWizards approach to AitM ICMPv6 RA message Preffix: 2001:db8::/64 RDNSS: 240e:56:4000:8000::11 240e:56:4000:8000::22 DNS query get.sogou.com DNS reply malicious server IP Spellbinder Victim Attacker’s server ----- ###### TheWizards approach to AitM ICMPv6 RA message Preffix: 2001:db8::/64 RDNSS: 240e:56:4000:8000::11 240e:56:4000:8000::22 DNS query get.sogou.com DNS reply malicious server IP Spellbinder Victim get update via HTTP Dropper DLL Attacker’s server ----- ###### Spellbinder’s IPv6 SLAAC attack Attack vector discussed by the IETF as early as 2008 IPv6 is enabled by default on modern Windows OS Very effective: ▪ Dozens of machines compromised in a short time ▪ No noticeable effect for the victims ----- ### Conclusion ----- ###### What is known and what is not known • NSPX30 and DCM for Win32 Project Wood is alive and well: • Project Wood for Win32 • Linux version recently found! ----- ###### What is known and what is not known • NSPX30 and DCM for Win32 Project Wood is alive and well: • Project Wood for Win32 • Linux version recently found! Is NSPX30 developed by a digital quartermaster? ----- ###### What is known and what is not known • NSPX30 and DCM for Win32 Project Wood is alive and well: • Project Wood for Win32 • Linux version recently found! Is NSPX30 developed by a digital quartermaster? How is Blackwood able to accurately find its victims in cyberspace? ----- ###### Reports by CitizenLab and McAfee ----- ###### What is known and what is not known • NSPX30 and DCM for Win32 Project Wood is alive and well: • Project Wood for Win32 • Linux version recently found! Is NSPX30 developed by a digital quartermaster? How is Blackwood able to accurately find its victims in cyberspace? The elusive AitM network implant ----- ``` どうもありがとうございます #### Q&A ``` -----