Cybersecurity firm ESET has revealed a sophisticated new attack campaign by the hacker group TheWizards, which exploits IPv6 network functionality to hijack software updates and install malicious Windows software. The group is using a custom tool called Spellbinder to execute a Man-in-the-Middle (AitM) attack by leveraging the SLAAC (Stateless Address Auto Configuration) feature in IPv6.
Unlike traditional DHCP-based setups, SLAAC allows devices to configure their IP addresses and gateways automatically. TheWizards are abusing this by sending fake router advertisements to nearby systems, tricking them into using the attacker-controlled Spellbinder IP as their default gateway. This allows the hackers to redirect and monitor network traffic.
Spellbinder is disguised in a ZIP file named “AVGApplicationFrameHostS.zip”, which installs malicious files under a seemingly legitimate directory mimicking AVG antivirus software. A malicious DLL (wsc.dll) is injected into memory using winpcap.exe, a legitimate tool.
Once active, the malware targets traffic related to update servers for major Chinese apps including Tencent, Baidu, Youku, Xiaomi, iQIYI, 360, Meitu, and more. When it detects update requests, Spellbinder redirects them to deliver a trojanized version that installs a persistent backdoor called WizardNet, enabling long-term control and further infections.
[Via]
Discover more from PassionateGeekz
Subscribe to get the latest posts sent to your email.
