- The Chinese threat actor that Thewizards observed by directing a Slaac attack since 2022
- The attack offers contaminated software updates
- Most of the victims are in China, Hong Kong, the Philippines and Eau
A threat actor named Thewizards has been executing SLAAC falsification attacks to attack organizations, cybersecurity researchers that ESET revealed, claiming that the group is aligned with the Chinese government.
In the campaign, the attackers would use a tool called Spellbinder to send messages of false router ads (RA) to their goals.
These messages deceive the devices to think that the attacker’s system is the legitimate router, which makes all their internet trafficking through the hacker machine. Since this method manipulates the process of self -configuration of the direction without a state (Slaac), the entire attack was called “Slaac Spoofing”.
Active at the time of press
Once Thewizards begin to control traffic, they use Spellbinder to intercept DNS consultations for legitimate software update domains and redirect them.
As a result, the victims end up downloading troyanized versions of software updates, which contain the back door of Wizardnet.
This piece of malware, ESET explained, gives Thewizards remote access to victims devices. It communicates on the encrypted TCP or UDP plugs, and uses a session key based on system identifiers for AES encryptions.
In addition to loading and executing .NET modules in memory, Wizardnet can extract system data, list the execution processes and maintain persistence.
The campaign has been ongoing since at least 2022, ESET added, mainly pointing to people and businesses in China, Hong Kong, Cambodia, the Philippines and the United Arab Emirates.
Apparently, criminals are currently deceiving people to download a false update of Tencent: “The malicious server that issues the update instructions was still active at the time of writing,” said ESET. Most corporate victims seem to be in the vertical game.
East also said that Spellbinder is monitoring the domains that belong not only to Tencent, but also to Baidu, Xunlei, Youku, Iqiyi, KingSoft, Mango TV, Fenshion, Yuodao, Xiaomi, Xiaomi Miui, Pplive, Meitu, Quihoo 360 and Baofeng.
The best way to mitigate risk is to monitor IPV6 traffic or deactivate the protocol if not necessary in the environment, ESET concluded.
Through Bleepingcomputer
