IPv6 SLAAC exploited by Chinese APT for AitM attacks

Adversary-in-the-middle intrusions have been conducted by Chinese advanced persistent threat operation TheWizards using the Spellbinder lateral movement tool that enables IPv6 stateless address autoconfiguration spoofing and malicious software update downloads, The Hacker News reports. Infiltration of targeted networks including those of gambling entities and individuals in China, Hong Kong, Cambodia, the Philippines, and the United Arab Emirates was succeeded by the distribution of a ZIP archive containing a pair of executables, a .dat file, and a DLL file that resulted in the launch of Spellbinder, according to an analysis from ESET. Aside from leveraging the WinPcap library for packet capturing and replying, Spellbinder also exploits IPv6's Network Discovery Protocol to take over Tencent QQ's software update process and trigger the subsequent deployment of the modular WizardNet backdoor. Also used by TheWizards in its attacks is the Earth Minotaur-linked DarkNights tool, also known as DarkNimbus, which was reported to have been distributed by Sichuan Dianke Network Security Technology, a Chinese public security ministry contractor.