Hackers Abuse IPv6 Networking Feature to Hijack Software Updates

A China-aligned APT threat actor known as "TheWizards" has been identified by cybersecurity firm ESET for abusing an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates and install Windows malware. This is a growing concern for organizations worldwide, as the attack vector targets individuals, gambling companies, and other entities in several countries.

The W Wizards group has been active since at least 2022, targeting entities in the Philippines, Cambodia, the United Arab Emirates, China, and Hong Kong. The attacks utilize a custom tool dubbed "Spellbinder" by ESET that exploits an IPv6 Stateless Address Autoconfiguration (SLAAC) feature to conduct SLACC attacks.

SLAAC is a feature of the IPv6 networking protocol that allows devices to automatically configure their own IP addresses and default gateway without needing a DHCP server. Instead, it relies on Router (RA) messages to receive IP addresses from IPv6-supported routers. The hacker's Spellbinder tool abuses this feature by sending spoofed RA messages over the network, causing nearby systems to automatically receive a new IPv6 IP address, new DNS servers, and a new preferred IPv6 gateway.

The default gateway, however, is the IP address of the Spellbinder tool, which allows it to intercept communications and reroute traffic through attacker-controlled servers. "Spellbinder sends a multicast RA packet every 200 ms to ff02::1 ('all nodes'); Windows machines in the network with IPv6 enabled will autoconfigure via stateless address autoconfiguration (SLAAC) using information provided in the RA message, and begin sending IPv6 traffic to the machine running Spellbinder, where packets will be intercepted, analyzed, and replied to where applicable," explains ESET.

The attacks deploy Spellbinder using an archive named AVGApplicationFrameHostS.zip, which extracts into a directory mimicking legitimate software: "%PROGRAMFILES%\AVG Technologies." Within this directory are AVGApplicationFrameHost.exe, wsc.dll, log.dat, and a legitimate copy of winpcap.exe. The WinPcap executable is used to side-load the malicious wsc.dll, which loads Spellbinder into memory.

Once a device is infected, Spellbinder begins capturing and analyzing network traffic attempting to connect specific domains, such as those related to Chinese software update servers. ESET says the malware monitors for domains belonging to companies like Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng. The tool then redirects those requests to download and install malicious updates that deploy a backdoor named "WizardNet."

The WizardNet backdoor gives attackers persistent access to the infected device and allows them to install additional malware as needed. To protect against these types of attacks, organizations can monitor IPv6 traffic or turn off the protocol if it is not required in their environment.

Protecting Against These Attacks

To safeguard your organization's network from this type of attack, it's essential to be vigilant about monitoring IPv6 traffic and taking proactive measures. Here are some steps you can take:

  • Monitor IPv6 traffic for suspicious activity.
  • Turn off IPv6 if it is not required in your environment.
  • Implement strict access controls and regular security audits.
  • Keep your software up-to-date with the latest security patches.

In addition to these measures, it's essential to stay informed about emerging threats and vulnerabilities. By staying vigilant and proactive, you can help protect your organization from the latest attacks like this one.