Spellbinder: Hackers use IPv6 networking to hijack software updates

A Chinese-backed APT called "TheWizards" launched an adversary-in-the-middle (AitM) attack using IPv6 networking. The attack was designed to install Windows malware, which hijacks software updates.

According to ESET, the group has been active since at least 2022, targeting organizations in the Philippines, Cambodia, China, and Hong Kong. Many individuals, gambling companies, and other organizations have been affected by them.

The attacks are carried out using a custom tool called "Spellbinder" by ESET. SLACC has blamed IPv6 Stateless Address Autoconfiguration (SLAAC) for conducting the attack.

SLAAC is a feature of the IPv6 networking protocol that allows devices to automatically configure their own IP addresses and default gateways without the need for a DHCP server. Instead, it uses Router Advertisement (RA) messages to obtain IP addresses from IPv6-enabled routers.

The hacker's "Spellbinder" tool exploits this feature by sending fake RA messages over the network, causing nearby systems to automatically receive a new IPv6 IP address, new DNS servers, and a new, preferred IPv6 gateway. However, this default gateway is the IP address of the Spellbinder tool, which allows it to intercept communication and re-route traffic through an attacker-controlled server.

1. Spellbinder sends ICMPv6 RA message to all nodes in the network

2. IPv4- and IPv6-capable machines receive the message and autoconfigure using SLAAC

3. Victim machine sends DNS request over IPv6 to Spellbinder running machine

4. Spellbinder replies with IPv4 address of malicious server controlled by attackers

5. Software running on victim machine sends HTTP request over IPv4 to malicious server, requesting updates

6. Malicious server replies with malicious payload