This top Microsoft Office alternative has been hijacked by Chinese hackers — and their malware is coming for your devices

A computer being guarded by cybersecurity.
(Image credit: iStock)

Chinese hackers are hijacking legitimate software updates to deliver backdoors capable of stealing sensitive information from the target endpoints, experts have warned. 

A new report from cybersecurity researchers ESET recently observed a previously unknown threat actor which they dubbed Blackwood. 

This group, which apparently is on the Chinese government’s payroll, delivers malware through software updates for legitimate tools such as WPS Office, Tencent QQ, and Sogou Pinyin.

Potent tool

This doesn’t seem to be a classic supply chain attack, as the software itself is not compromised, and neither are the updates. Instead, the hackers intercept the traffic between the server hosting the update and the target endpoint and work in the middle. It is unknown exactly how the attackers are able to intercept the traffic. ESET believes Blackwood might be using an implant in the victims’ networks, possibly in routers and similar devices.

The malware they look to install on target endpoints is called NSPX30. The researchers describe this malware as “sophisticated”, and say its built upon a simple backdoor from 2005 called Project Wood. 

NSPX30 has grown into a capable tool, however. Today, it can log keystrokes, grab screenshots, pull system information, and exfiltrate other data from the devices. It can also steal chat logs and contact lists from different communications apps, including Telegram, and Skype. Finally, it can terminate processes by PID, create a reverse shell, move files, and uninstall itself if necessary.

Most of the victims seem to be located in China. However, there are compromised devices in Japan, and the United Kingdom, too. Blackwood’s activities can be traced back to 2020.  

Those looking to stay protected from Blackwood and similar threats should read ESET’s in-depth report on the malware and its operations, here. This report, among other things, offers a list of indicators of compromise which IT teams can use to protect their infrastructure. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.