CyberSecurity news

FlagThis - #eset

@www.welivesecurity.com //

Chinese APT TheWizards Hijacks Software Updates via AitM - The China-aligned APT group 'TheWizards' is using IPv6 SLAAC spoofing to perform AitM attacks and hijack software updates, deploying Windows malware in the Philippines, UAE, Cambodia, China, and Hong Kong.
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.

The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor.

ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations.

Recommended read:
References :
  • BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • ESET Research: Details the toolset of the China-aligned APT group that we have named . It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates.
  • The Hacker News: Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool
  • BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • www.welivesecurity.com: Links between and the Chinese company Dianke Network Security Technology, also known as UPSEC.
  • www.bleepingcomputer.com: The China-aligned APT threat actor abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • The DefendOps Diaries: Unveiling the Threat: How 'The Wizards' Exploit IPv6 for Cyber Attacks
  • Security Risk Advisors: TheWizards APT Group Targets Southeast Asian Governments Using Rootkits and Cloud Tools
  • bsky.app: TheWizards APT group abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • cyberinsider.com: Chinese Hackers Use IPv6 SLAAC Spoofing to Deliver WizardNet Backdoor
  • WeLiveSecurity: ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks
  • www.scworld.com: IPv6 SLAAC exploited by Chinese APT for AitM attacks
  • Blog: ‘TheWizards’ exploit IPv6 feature as part of AitM attacks
  • Cyber Security News: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool
  • cybersecuritynews.com: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool
  • www.techradar.com: IPv6 networking feature hit by hackers to hijack software updates
  • hackread.com: Chinese Group TheWizards Exploits IPv6 to Drop WizardNet Backdoor
Andrey Gunkin@Securelist //

ToddyCat Exploits ESET Vulnerability - The APT group ToddyCat exploited a vulnerability (CVE-2024-11859) in ESET’s command-line scanner to execute malicious tools, using a malicious DLL library to bypass security monitoring and employing the BYOVD technique for kernel-level access.
The APT group ToddyCat has been discovered exploiting a vulnerability, CVE-2024-11859, in ESET's command-line scanner (ecls) to conceal their malicious activities. This sophisticated attack, uncovered during investigations into ToddyCat-related incidents in early 2024, involved using a malicious DLL library to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. Researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems, which was identified as a complex tool called TCESB, designed to stealthily execute payloads in circumvention of protection mechanisms.

This vulnerability stemmed from ESET's scanner's insecure loading of the system library, version.dll. The attackers leveraged a DLL-proxying technique, where the malicious DLL exports functions identical to a legitimate library, redirecting calls to the original while executing malicious code in the background. By exploiting this weakness, ToddyCat was able to mask their activities within a trusted process, making it difficult for traditional security measures to detect the threat. The vulnerability allowed the malicious DLL to be loaded instead of the legitimate one.

To further enhance their stealth, ToddyCat employed the Bring Your Own Vulnerable Driver (BYOVD) technique. They deployed the Dell driver DBUtilDrv2.sys, exploiting the CVE-2021-36276 vulnerability to achieve kernel-level access and tamper with kernel memory structures. This allowed them to disable system event notifications, such as process creation or dynamic library loading, making their activities even harder to detect. Recognizing the severity of the issue, ESET promptly patched the vulnerability (CVE-2024-11859) in January 2025.

Recommended read:
References :
  • cyberpress.org: ToddyCat Attackers Used ESET Command Line Scanner Vulnerability to Hide Their Tool
  • cybersecuritynews.com: ToddyCat, the notorious APT group, used a sophisticated attack strategy to stealthily deploy malicious code in targeted systems by exploiting a weakness in ESET’s command line scanner.  The vulnerability, now tracked as CVE-2024-11859, allowed attackers to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. In early 2024,
  • Securelist: While analyzing a malicious DLL library used in attacks by APT group ToddyCat, Kaspersky expert discovered the CVE 2024-11859 vulnerability in a component of ESET’s EPP solution.
  • gbhackers.com: In a stark demonstration of Advanced Persistent Threat (APT) sophistication, the ToddyCat group has been discovered using a vulnerability in ESET’s Command Line Scanner (ecls) to mask their malicious activities. The attack came to light when researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems. This file was identified as a tool called TCESB,
  • gbhackers.com: ToddyCat Attackers Exploited ESET Command Line Scanner Vulnerability to Conceal Their Tool
  • securityonline.info: CVE-2024-11859: ToddyCat Group Hides Malware in ESET’s Scanner to Bypass Security
  • ciso2ciso.com: How ToddyCat tried to hide behind AV software – Source: securelist.com
  • cyberinsider.com: Kaspersky details how ToddyCat APT exploits ESET antivirus flaw to bypass Windows security.
  • Cyber Security News: Detailed article on the ToddyCat group hiding malware in ESET's scanner to bypass security.
  • securityonline.info: Security Online covers CVE-2024-11859, detailing how ToddyCat hides malware in ESET's scanner to bypass security.
  • Cyber Security News: In a stark demonstration of Advanced Persistent Threat (APT) sophistication, the ToddyCat group has been discovered using a vulnerability in ESET's command-line scanner (CVE-2024-11859) to stealthily execute a malicious tool named TCESB.
  • CyberInsider: Security researchers have uncovered a sophisticated cyberespionage technique used by the ToddyCat APT group to execute malicious payloads undetected — by hijacking a vulnerability in a command-line scanner component of ESET's own antivirus suite.
  • www.csoonline.com: CSOOnline article about Chinese ToddyCat abuses ESET antivirus bug for malicious activities
  • securelist.com: How ToddyCat tried to hide behind AV software
  • ciso2ciso.com: How ToddyCat tried to hide behind AV software – Source: securelist.com
  • support.eset.com: Advisory from ESET
  • The Hacker News: The Hacker News article on New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner
  • ciso2ciso.com: New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner – Source:thehackernews.com
  • eSecurity Planet: ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack
  • securityaffairs.com: An APT group exploited ESET flaw to execute malware
  • www.esecurityplanet.com: ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack
  • www.cysecurity.news: ToddyCat Hackers Exploit ESET Vulnerability to Deploy Stealth Malware TCESB
Aman Mishra@gbhackers.com //

RansomHub Affiliates Share EDR Killer with Other Groups - RansomHub affiliates are connected to other ransomware groups like Medusa, BianLian, and Play through the shared use of EDRKillShifter, a tool designed to disable endpoint detection and response (EDR) software, highlighting a trend of ransomware groups leveraging EDR killers to enhance attack success.
ESET researchers have uncovered connections between RansomHub affiliates and other ransomware groups, including Medusa, BianLian, and Play. This link is established through the shared use of EDRKillShifter, a custom tool designed to disable endpoint detection and response (EDR) software on compromised systems. EDRKillShifter utilizes a "Bring Your Own Vulnerable Driver" (BYOVD) tactic, leveraging a legitimate but vulnerable driver to terminate security solutions, ensuring the smooth execution of ransomware encryptors without detection.

This sharing of tools highlights an evolving trend in the ransomware landscape, where groups collaborate and repurpose tooling from rivals. ESET's analysis reveals that even closed ransomware-as-a-service (RaaS) operations like Play and BianLian, known for their consistent use of core tools, have members utilizing EDRKillShifter in their attacks. RansomHub, a relatively new player, quickly rose to prominence in the ransomware scene after emerging in February 2024, dominating the landscape by recruiting affiliates from disrupted groups such as LockBit and BlackCat. The tool, custom-developed by RansomHub, is offered to its affiliates as part of its RaaS program.

Recommended read:
References :
  • DataBreaches.Net: The RansomHub ransomware-as-a-service (RaaS) operation affiliates were linked to established gangs Medusa, BianLian, and Play, which share the use of RansomHub’s custom-developed EDRKillShifter.
  • The Hacker News: Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks
  • hackread.com: Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.
  • gbhackers.com: New Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs
  • Cyber Security News: New Research Reveals RansomHub’s EDRKillShifter Connected to Major Ransomware Gangs
  • www.cybersecuritydive.com: Custom tool developed by RansomHub, dubbed “EDRKillShifter,â€� is used by several other rival ransomware gangs.
Mandvi@Cyber Security News //

FishMonger APT Linked to I-SOON Targets Govs - Chinese FishMonger APT, linked to I-SOON, targeted governments, NGOs, and think tanks across Asia, Europe, and the United States in 2022 using custom tools for cyber espionage and data theft.
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.

The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide.

Recommended read:
References :
  • Cyber Security News: Chinese FishMonger APT Linked to I-SOON Targets Governments and NGOs
  • Virus Bulletin: ESET's Matthieu Faou writes about Operation FishMedley, a global espionage operation by FishMonger, the China-aligned APT group run by I-SOON. In the victims list: governments, NGOs and think tanks across Asia, Europe and the United States.
  • : FishMonger APT Group Linked to I-SOON in Espionage Campaigns
  • gbhackers.com: GB Hackers: I-SOON’s ‘Chinese Fishmonger’ APT Targets Government Entities and NGOs
  • Talkback Resources: Talkback: Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley [net] [rev] [mal]

Posts

Blogs

Research Tools