NICKEL, a China-based threat actor has been observed targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, the Caribbean, Europe, and North America. Microsoft Threat Intelligence Center (MSTIC) has been tracking NICKEL and observed some common activity with other actors known in the security community as APT15, APT25, and KeChang. On December 6th, 2021, the Microsoft Digital Crimes Unit (DCU) announced the successful seizure of a set of NICKEL-operated websites and disruption of their ongoing attacks targeting organizations in 29 countries, following a court order from the U.S. District Court for the Eastern District of Virginia granting Microsoft the authority to seize these sites.
Summary
NICKEL actors were observed by MSTIC exploiting vulnerabilities in unpatched systems to compromise remote access services and appliances. Once intrusion was successful, they used credential dumpers or stealers to obtain credentials, which they used to gain access to victim accounts. The threat actors created and deployed custom malware that allowed them to maintain access and control on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks.
How it works
NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances.
After gaining an initial foothold the threat actors carried out regular surveillance on the network, working to gain access to additional accounts or systems with higher valued data. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. NICKEL was observed using Mimikatz, an older authentication method that allows the attacker access to credentials in clear text known as WDigest, NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers.
Another attack method used by NICKEL is deploying malware for command and control (C2). MSTIC has tracked several malware families used by NICKEL as Neoichor, Leeson, NumbIdea, NullItch, and Rokum. The malware is dropped into existing software paths to make the malware appear to be files used by installed applications. Some example of these paths are:
C:Program FilesRealtekAudioHDAAERTSr.exe
C:Program Files (x86)Foxit SoftwareFoxit ReaderFoxitRdr64.exe
C:Program Files (x86)AdobeFlash
PlayerAddInsairappinstallerairappinstall.exe
C:Program Files (x86)AdobeAcrobat Reader DCReaderAcroRd64.exe
The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers. Due to their reliance on IE, these malware families intentionally configure the browser settings by modifying the following registry entries:
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain] Start Page = about:blank
DisableFirstRunCustomize = 1
RunOnceComplete = 1
RunOnceHasShown = 1 Check_Associations = 1
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerRecovery] AutoRecover = 0
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy] ClearBrowsingHistoryOnExit = 1
[HKEY_CURRENT_USERSoftwareMicrosoftInternet Connection Wizard] Completed = 1