Threat Research

TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

ESET-welivesecurity
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
EXTRACT IOC
TheWizards, a China-aligned threat group, uses Spellbinder to perform IPv6 adversary-in-the-middle attacks, hijacking legitimate Chinese software updates to deploy its WizardNet backdoor. The campaign targets entities across Asia and beyond using sophisticated network spoofing techniques. (Affected: software update systems, Chinese software users, enterprises in Asia)

Keypoints :

  • TheWizards APT uses Spellbinder, an IPv6 SLAAC spoofing tool, to intercept and redirect network traffic.
  • Spellbinder tricks legitimate Chinese software update mechanisms to download malware from attacker-controlled servers.
  • The injected malware includes a modular backdoor called WizardNet, capable of executing .NET modules in-memory.
  • The attack deploys through popular Chinese applications like Tencent QQ and Sogou Pinyin by hijacking update servers.
  • Attackers abuse legitimate AVG software components for side-loading and loading malicious shellcode.
  • WizardNet employs multiple evasive techniques, including AMSI bypass, event logging disabling, and encrypted communication channels.
  • The group targets individuals, gambling firms, and unknown entities in the Philippines, Cambodia, UAE, China, and Hong Kong.
  • Connections were found between TheWizards and the Chinese company Sichuan Dianke Network Security Technology (UPSEC).
  • WizardNet uses AES-encrypted and PKCS7-padded TCP/UDP communication to control infected hosts and execute commands.
  • The malware checks for security software presence and uses techniques like process injection and registry storage for persistence.

MITRE Techniques :

  • Acquire Infrastructure: Domains (T1583.001) – Domains such as hao[.]com and ssl-dns[.]com are used to support operations.
  • Acquire Infrastructure: Server (T1583.004) – TheWizards utilize attacker-controlled servers for C2 and malicious updates.
  • Develop Capabilities: Malware (T1587.001) – Development and use of custom tools like Spellbinder and WizardNet.
  • Obtain Capabilities: Tool (T1588.002) – Install WinPcap on compromised machines to enable packet capture and spoofing.
  • Content Injection (T1659) – Spellbinder hijacks DNS queries to inject attacker-controlled IP responses.
  • Command and Scripting Interpreter: Windows Command Shell (T1059.003) – Use cmd.exe to execute payloads and tools.
  • Native API (T1106) – WizardNet uses CreateProcessA to launch and inject into system processes.
  • Process Injection (T1055) – Injects shellcode into explorer.exe and other processes to evade detection.
  • Execution Guardrails: Mutual Exclusion (T1480.002) – Creates mutex to prevent multiple instances of backdoor execution.
  • Modify Registry (T1112) – Encrypted shellcode stored in registry keys for stealth persistence.
  • Obfuscated Files or Information (multiple sub-techniques: T1027.007, T1027.009, T1027.014) – Uses dynamic API resolution, embedded encrypted payloads, and polymorphic code.
  • Process Injection: Asynchronous Procedure Call (T1055.004) – Uses QueueUserApc for executing injected code asynchronously.
  • Software Discovery: Security Software Discovery (T1518.001) – Checks for security products by scanning running processes.
  • System Information Discovery (T1082) – Collects system details like computer name and OS version.
  • System Time Discovery (T1124) – Gathers system uptime and time metadata.
  • Ingress Tool Transfer (T1105) – Downloads and loads additional modules from C2 server.
  • Non-Application Layer Protocol (T1095) – Uses TCP and UDP protocols to communicate with C2.
  • Encrypted Channel: Symmetric Cryptography (T1573.001) – Encrypts C2 communication with AES using SessionKey.

Indicator of Compromise :

  • The article includes IP addresses of attacker-controlled servers used for C2 and serving malicious updates, such as 43.155.62[.]54 and 43.155.116[.]7.
  • It provides SHA-1 hashes of multiple malware components, including minibrowser_shell.dll (downloader), Client.exe (WizardNet backdoor), wsc.dll, and shellcode files like log.dat.
  • Domains hijacked in DNS queries include update.browser.qq.com and hao[.]com, facilitating domain fronting and update hijacking.
  • Android malware DarkNights (APK components and classes.dex) linked to the group was also identified with hash samples.
  • Indicators include filenames, mutex names derived from MD5 hashes of computer names, and specific registry paths used by WizardNet.

Read more: https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/

Views: 45

Tags: LATERAL MOVEMENT, PAYLOAD, SPOOFING, ANDROID, DEFENSE EVASION, PERSISTENCE, DISCOVERY, DNS