Legitimate software updates has reportedly been compromised by China hackers by implanting spyware in major applications against companies and users from the United Kingdom, Japan, and China since 2018.

The cybergroup behind this new spyware, coined as Blackwood, is believed to be linked with China and has been discovered to be using software upgrades to install spyware that researchers have called as the NSPX30. The virus has been spread by inherent methods found in Tencent QQ, Sogou Pinyin, and WPS Office applications. 

(Photo : Jake Schumacher from Unsplash)
According to the reports, the Lapsus$ members are still hacking despite the recent arrest done by the UK police.

The virus itself, as per the researchers from ESET, is used to deliver a set of droppers, installers, loaders, and orchestrators. Hacking tools that are generally used by cybercriminals to install even more spyware and various malware into a device, once successfully integrated into the software.

A backdoor tool is also stated to be one of the capabilities of the NSPX30 spyware, meaning hackers are able to gain high level user access within the compromised systems. Specifically, hackers can gather file metadata, stop particular programs, take screenshots, record keystrokes, and even delete itself from the device.

Read Also: British Spy Agency Warns AI Will Help Hackers Increase Cyberattacks 

Advanced Spyware

Additionally, reports indicates that contact lists and conversation logs from Tencent QQ, WeChat, Telegram, Skype, CloudChat, RaidCall, YY, and AliWangWang may be obtained using the backdoor. 

With the ability to conceal its infrastructure through packet interception, NSPX30 reportedly exhibits a remarkable level of technological innovation and allows for covert operations. 

The victims of the newly-dicovered spyware is said to be unnamed people in China and Japan, an unidentified Chinese speaker linked to the network of a prominent public research university in the UK, a sizable manufacturing and trading company in China, and the Chinese branch of a Japanese corporation, revealed after subsequent investigations. 

Reports noted that that attackers frequently attempted to re-enter a user's system after losing access, suggesting focused, purposeful attacks, directed to specific individuals and businesses. Worryingly, this new spyware is also said to be capable of bypassing Chinese anti-malware software.

China-Linked Blackwood

Active since at least 2018, Blackwood is an APT organization linked with China that conducts cyber espionage targeting Chinese and Japanese people and businesses. 

A separate report notes that Blackwood most likely shares access with other Chinese APT organizations, since it witnessed the system of one firm being attacked by toolkits connected with numerous actors, e.g. LittleBear, LuoYu, and evasive Panda. 

Bleeping Computer notes that it is unclear exactly what technique allows Blackwood to intercept the traffic in the first place but noted that ESET says would be feasible to use an implant on susceptible equipment like routers or gateways within the targets' networks.

In addition to offering defenders a list of symptoms of compromise they may employ to safeguard their environment, ESET's research contains comprehensive technical data about the virus and its mechanism of operation. 

Related Article: Researchers Discover 26 Billion Records Leaked, LinkedIn, Dropbox, Twitter Users' Data at Risk