TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
ESET researchers publish an analysis of Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks. We discovered a malicious downloader being deployed, by legitimate Chinese software update mechanisms, onto victims’ machines. The downloader seeks to deploy a modular backdoor that we have named WizardNet. We analyzed Spellbinder: the tool the attackers use to conduct local adversary-in-the-middle attacks and to redirect traffic to an attacker-controlled server to deliver the group’s signature backdoor WizardNet. We provide details abouts links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC.
