IPv6 networking feature hit by hackers to hijack software updates

• Chinese threat actor TheWizards observed running a SLAAC attack since 2022
• The attack delivers tainted software updates
• Most victims are in China, Hong Kong, the Philippines, and UAE

A threat actor called TheWizards has been running SLAAC spoofing attacks to target organizations, cybersecurity researchers ESET have revealed, claiming the group is aligned with the Chinese government.

In the campaign, the attackers would use a tool called Spellbinder to send fake Router Advertisement (RA) messages to their targets.

These messages trick devices into thinking the attacker’s system is the legitimate router, causing them to route all their internet traffic through the hacker’s machine. Since this method manipulates the Stateless Address Autoconfiguration (SLAAC) process, the entire attack was dubbed “SLAAC spoofing”.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Active at press time

Once TheWizards start controlling the traffic, they use Spellbinder to intercept DNS queries for legitimate software update domains and redirect them.

As a result, the victims end up downloading trojanized versions of software updates, containing the WizardNet backdoor.

This piece of malware, ESET further explained, grants TheWizards remote access to the victim devices. It communicates over encrypted TCP or UDP sockets, and uses a SessionKey based on system identifiers for AES encryptions.

Besides loading and executing .NET modules in-memory, WizardNet can extract system data, list running processes, and maintain persistence.

The campaign has been ongoing since at least 2022, ESET added, mainly targeting people and businesses in China, Hong Kong, Cambodia, the Philippines, and the UAE.

Apparently, the crooks are currently tricking people into downloading a fake Tencent update: “The malicious server that issues the update instructions was still active at the time of writing,” ESET said. Most of the corporate victims seem to be in the gambling vertical.

ESET also said that Spellbinder is monitoring for domains belonging not just to Tencent, but also Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng.

The best way to mitigate the risk is to monitor IPv6 traffic, or turn off the protocol if it’s not required in the environment, ESET concluded.

Via BleepingComputer

You might also like

• Chinese hackers hijacked an ISP software update to spread malware
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers