- Chinese threat actor TheWizards observed running a SLAAC attack since 2022
- The attack delivers tainted software updates
- Most victims are in China, Hong Kong, the Philippines, and UAE
A threat actor called TheWizards has been running SLAAC spoofing attacks to target organizations, cybersecurity researchers ESET have revealed, claiming the group is aligned with the Chinese government.
In the campaign, the attackers would use a tool called Spellbinder to send fake Router Advertisement (RA) messages to their targets.
These messages trick devices into thinking the attacker’s system is the legitimate router, causing them to route all their internet traffic through the hacker’s machine. Since this method manipulates the Stateless Address Autoconfiguration (SLAAC) process, the entire attack was dubbed “SLAAC spoofing”.
Active at press time
Once TheWizards start controlling the traffic, they use Spellbinder to intercept DNS queries for legitimate software update domains and redirect them.
As a result, the victims end up downloading trojanized versions of software updates, containing the WizardNet backdoor.
This piece of malware, ESET further explained, grants TheWizards remote access to the victim devices. It communicates over encrypted TCP or UDP sockets, and uses a SessionKey based on system identifiers for AES encryptions.
Besides loading and executing .NET modules in-memory, WizardNet can extract system data, list running processes, and maintain persistence.
The campaign has been ongoing since at least 2022, ESET added, mainly targeting people and businesses in China, Hong Kong, Cambodia, the Philippines, and the UAE.
Apparently, the crooks are currently tricking people into downloading a fake Tencent update: “The malicious server that issues the update instructions was still active at the time of writing,” ESET said. Most of the corporate victims seem to be in the gambling vertical.
ESET also said that Spellbinder is monitoring for domains belonging not just to Tencent, but also Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng.
The best way to mitigate the risk is to monitor IPv6 traffic, or turn off the protocol if it’s not required in the environment, ESET concluded.
Via BleepingComputer
Leave a comment