A China-aligned advanced persistent threat (APT) group, known as "TheWizards,"
is leveraging an IPv6 feature to conduct adversary-in-the-middle (AitM) attacks, intercepting software updates to install Windows malware.
ESET reports that the group has been active since at least 2022, targeting a range of entities in the Philippines, Cambodia, the United Arab Emirates, China, and Hong Kong, with victims including individuals, gambling companies, and other organizations.
The attacks use a custom tool, "Spellbinder," which exploits the IPv6 Stateless Address Autoconfiguration (SLAAC) feature to perform SLAAC-based attacks. SLAAC is a feature in the IPv6 protocol that allows devices to automatically configure their IP addresses and default gateways without needing a DHCP server. It relies on Router Advertisement (RA) messages to assign IP addresses from IPv6-compatible routers.
Spellbinder takes advantage of this feature by sending spoofed RA messages, causing nearby systems to automatically update their IPv6 settings, including the IP address, DNS servers, and preferred gateway. The new gateway, however, points to the attacker’s server, allowing the group to intercept and reroute network traffic through their own infrastructure.
As ESET explains, Spellbinder sends multicast RA packets every 200ms to the address ff02::1 ("all nodes"). Windows machines with IPv6 enabled will automatically configure using the details in the RA message, redirecting traffic to the attacker’s server for interception and analysis.
The tool is distributed using an archive named AVGApplicationFrameHostS.zip, which extracts files to a directory that mimics legitimate software: "%PROGRAMFILES%\AVG Technologies." The directory contains files like AVGApplicationFrameHost.exe, wsc.dll, log.dat, and a legitimate copy of winpcap.exe. The latter is used to side-load the malicious wsc.dll, which then loads Spellbinder into memory.
Once a device is compromised, Spellbinder monitors network traffic for attempts to connect to specific domains related to Chinese software update servers, such as Tencent, Baidu, Youku, Xiaomi, and others. The malware redirects these requests, enabling the installation of malicious updates that deploy the "WizardNet" backdoor. This backdoor provides persistent access to the infected device, allowing further malware installation as needed.
To protect against these attacks, organizations can monitor IPv6 traffic or disable IPv6 if it is unnecessary for their network environment.
Earlier in January, ESET reported on another hacking group, "Blackwood," which hijacked the WPS Office software update feature to deliver malware.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
