Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

China-linked group attacks

ESET discovered both SpellBinder and WizardNet, tools used by Chinese hackers. A China-based APT group, “The Wizards,” has been linked to a lateral movement tool, Spellbinder, which allows adversary-in-the-middle (AitM) attacks.  It does so via IPv6 stateless address autoconfiguration (SLAAC) spoofing, to roam laterally in the compromised network, blocking packets and redirecting the traffic of legal Chinese software to download malicious updates from a server controlled by threat actors, ESET researchers said to The Hacker News. 

About malware WizardNet

The attack creates a path for a malicious downloader which is delivered by hacking the software update mechanism linked with Sogou Pinyin. Later, the downloader imitates a conduit to deploy a modular backdoor called WizardNet. 

In the past, Chinese hackers have abused Sogou Pinyin’s software update process to install malware. Last year, ESET reported a hacking group called Blackwood that delivered an implant called NSPX30 by abusing the update process of the Chinese input method software app. 

This year, the Slovak cybersecurity company found another threat actor called PlushDaemon that exploited the same process to deploy a custom downloader called LittleDaemon. 

The scale of the attack

The Wizards APT has targeted both individuals and the gambling industry in Hong Kong, Mainland China, Cambodia, the United Arab Emirates, and the Phillippines. 

Findings highlight that the Spellbinder IPv6 AitM tool has been active since 2022. A successful attack is followed by the delivery of a ZIP archive which includes four separate files. 

After this, the threat actors install “wincap.exe” and perform "AVGApplicationFrameHost.exe," to sideload the DLL. The DLL file then reads shellcode from “log.dat” and runs it in memory, resulting in the launch of Spellbinder. 

Not the first time

In a 2024 attack incident, the hackers utilized this technique to hack the software update process for Tencent QQ at the DNS level to help a trojanized version deploy WizardNet; a modular backdoor that can receive and run .NET payloads on the victim host. Spellbinder does this by blocking the DNS query for the software update domain ("update.browser.qq[.]com") and releasing a DNS response 

“The list of targeted domains belongs to several popular Chinese platforms, such as Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi and Xioami's Miui, PPLive, Meitu, Quihoo 360, and Baofeng,” reports The Hacker News.