CyberSecurity news
FlagThis
@www.welivesecurity.com
//
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.
The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor.
ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations.
ImgSrc: web-assets.eset
References :
The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor.
ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations.
ImgSrc: web-assets.eset
Share:
References :
- BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- ESET Research: Details the toolset of the China-aligned APT group that we have named . It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates.
- The Hacker News: Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool
- BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- www.welivesecurity.com: Links between and the Chinese company Dianke Network Security Technology, also known as UPSEC.
- www.bleepingcomputer.com: The China-aligned APT threat actor abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- The DefendOps Diaries: Unveiling the Threat: How 'The Wizards' Exploit IPv6 for Cyber Attacks
- Security Risk Advisors: TheWizards APT Group Targets Southeast Asian Governments Using Rootkits and Cloud Tools
- bsky.app: TheWizards APT group abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- cyberinsider.com: Chinese Hackers Use IPv6 SLAAC Spoofing to Deliver WizardNet Backdoor
- WeLiveSecurity: ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks
- www.scworld.com: IPv6 SLAAC exploited by Chinese APT for AitM attacks
- Blog: ‘TheWizards’ exploit IPv6 feature as part of AitM attacks
- Cyber Security News: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool
- cybersecuritynews.com: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool
- www.techradar.com: IPv6 networking feature hit by hackers to hijack software updates
- hackread.com: Chinese Group TheWizards Exploits IPv6 to Drop WizardNet Backdoor