TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
welivesecurity.com
In this blogpost, ESET researchers provide an analysis of Spellbinder, a lateral movement tool for performing adversary-in-the-middle attacks, used by the China-aligned threat actor that we have named TheWizards. Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers.
Key points in this blogpost:
- We discovered a malicious downloader being deployed, by legitimate Chinese software update mechanisms, onto victims’ machines.
- The downloader seeks to deploy a modular backdoor that we have named WizardNet.
- We analyzed Spellbinder: the tool the attackers use to conduct local adversary-in-the-middle attacks and to redirect traffic to an attacker-controlled server to deliver the group’s signature backdoor WizardNet.
- We provide details abouts links between TheWizards and the Chinese company Dianke Network Security Technology, also ...
Copyright of this story solely belongs to welivesecurity.com . To see the full text click HERE