Cybersecurity firm ESET has dissected a tool used by a Chinese APT tracked as TheWizards to conduct adversary-in-the-middle (AitM) attacks and deploy a backdoor.
The tool, dubbed Spellbinder, enables AitM attacks and lateral movement in the compromised network. It relies on IPv6 stateless address auto-configuration (SLAAC) spoofing, intercepting packets and redirecting the traffic of various Chinese applications in order to download malicious updates from a server controlled by the attackers.
By hijacking the application’s server communication, TheWizards dropped a downloader that fetched and deployed a modular backdoor dubbed WizardNet, ESET explains.
Linked to Dianke Network Security Technology, a Chinese company also known as UPSEC, and active since at least 2022, TheWizards was seen targeting individuals and organizations in Cambodia, China, Hong Kong, the Philippines, and the United Arab Emirates.
The APT was seen deploying Spellbinder on compromised machines to capture network packets and reply to them, using the WinPcap library.
The tool can target the domains of multiple popular Chinese platforms, including Baidu, Baofeng, Funshion, Kingsoft, Mango TV, Quihoo 360, PPLive, Tencent, Yuodao, Xiaomi, and others.
In late 2024, Spellbinder was used to hijack the update of Tencent QQ software and deploy a downloader to load the WizardNet backdoor in the victim machine’s memory.
The implant supports five commands to fetch and execute .NET modules that expand its functionality, unload them, invoke functions from them, upload a client plugin assembly, and send system information to the attackers.
Analysis of the malware used by TheWizards shows that the group is associated with UPSEC, the Chinese company previously identified as the supplier of the DarkNimbus malware (also known as DarkNights), used by the hacking group Earth Minotaur.
“ESET continues tracking TheWizards independently of Earth Minotaur. While both threat actors use DarkNights/DarkNimbus, according to ESET telemetry TheWizards has focused on different targets and uses infrastructure and additional tools (for example, Spellbinder and WizardNet) not observed to be used by Earth Minotaur,” ESET notes.
Related: Chinese APT Mustang Panda Updates, Expands Arsenal
Related: Chinese APT Weaver Ant Targeting Telecom Providers in Asia
Related: Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley
