- The Chinese threat actor Thewizards has observed a Slaac attack since 2022
- The attack offers contaminated software updates
- Most of the victims are in China, Hong Kong, Philippines and Water
A threat actor called Thewizards has launched SLAAC usurpation attacks to target organizations, revealed that ESET cybersecurity researchers have revealed that the group is aligned with the Chinese government.
In the campaign, the attackers would use a tool called Spellbinder to send messages of false router advertising (RA) to their targets.
These messages induce the devices thinking that the attacker’s system is the legitimate router, having them transported all their internet traffic via the pirate machine. Since this method manipulates the self -configuration process without a stateless address (SLAC), the whole attack was nicknamed “Slaac usurpation”.
Active at the time of the press
Once Thewizards starts to control traffic, they use Spellbinder to intercept DNS requests for legitimate software updates and redirect them.
Consequently, the victims ended up downloading trojanized versions of software updates, containing the Wizardnet stolen door.
This piece of malicious software, also explained, grants Thewizards remote access to victim devices. He communicates on encrypted TCP or UDP sockets and uses a session key based on system identifiers for AES encryption.
In addition to the loading and execution of .NET modules in memory, Wizardnet can extract system data, list the processes in progress and maintain persistence.
The campaign has been underway for at least 2022, added ESET, mainly targeting people and businesses in China, Hong Kong, Cambodia, Philippines and Water.
Apparently, crooks are currently encouraging people to download a false update Tencent: “The malicious server who emits update instructions was always active at the time of writing,” said Eset. Most of the victims of companies seem to be vertically playing.
Eset also said that Spellbinder was monitoring the domains belonging not only to Tencent, but also to Baidu, Xunlei, Youku, Iqiyi, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, Pplive, Meitu, Quahoo 360 and Baofeng.
The best way to mitigate the risk is to monitor IPv6 traffic or extinguish the protocol if it is not necessary in the environment, ESET concluded.
Via Bleeping Compompute
