NICKEL Targeting Government Organizations (23rd December 2021)

Ref# AL2021_57 | Date: Dec 23rd 2021

NICKEL, a China-based threat actor has been observed targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, the Caribbean, Europe, and North America. Microsoft Threat Intelligence Center (MSTIC) has been tracking NICKEL and observed some common activity with other actors known in the security community as APT15, APT25, and KeChang. On December 6th, 2021, the Microsoft Digital Crimes Unit (DCU) announced the successful seizure of a set of NICKEL-operated websites and disruption of their ongoing attacks targeting organizations in 29 countries, following a court order from the U.S. District Court for the Eastern District of Virginia granting Microsoft the authority to seize these sites.


NICKEL actors were observed by MSTIC exploiting vulnerabilities in unpatched systems to compromise remote access services and appliances. Once intrusion was successful, they used credential dumpers or stealers to obtain credentials, which they used to gain access to victim accounts. The threat actors created and deployed custom malware that allowed them to maintain access and control on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks.

How it works

NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances.

After gaining an initial foothold the threat actors carried out regular surveillance on the network, working to gain access to additional accounts or systems with higher valued data. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. NICKEL was observed using Mimikatz, an older authentication method that allows the attacker access to credentials in clear text known as WDigest, NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers.

Another attack method used by NICKEL is deploying malware for command and control (C2). MSTIC has tracked several malware families used by NICKEL as Neoichor, Leeson, NumbIdea, NullItch, and Rokum. The malware is dropped into existing software paths to make the malware appear to be files used by installed applications. Some example of these paths are:

  • C:Program FilesRealtekAudioHDAAERTSr.exe

  • C:Program Files (x86)Foxit SoftwareFoxit ReaderFoxitRdr64.exe

  • C:Program Files (x86)AdobeFlash


  • C:Program Files (x86)AdobeAcrobat Reader DCReaderAcroRd64.exe

    The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers. Due to their reliance on IE, these malware families intentionally configure the browser settings by modifying the following registry entries:

    [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain] Start Page = about:blank
    DisableFirstRunCustomize = 1
    RunOnceComplete = 1

    RunOnceHasShown = 1 Check_Associations = 1

    [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerRecovery] AutoRecover = 0

    [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy] ClearBrowsingHistoryOnExit = 1

    [HKEY_CURRENT_USERSoftwareMicrosoftInternet Connection Wizard] Completed = 1

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInterne t SettingsoneMap]
    IEHarden = 0

    When connecting to the C2 servers, the URL requests follow these formats:

    http[:]//<C2>?id=<5-digit-rand><system-specific-string> http[:]//<C2>?setssion==<rand><GetTickCount>

          http[:]//<C2>?newfrs%dsetssion=<rand><GetTickCount> http[:]//<C2>/index.htm?content=<base64-system-specifc-string>&id=<num>

A typical response from the C2 server is a legitimate-looking webpage containing the string !DOCTYPE html, which the malware checks. The malware then locates a Base64-encoded blob, which it decodes and proceeds to load as a shellcode.

For the Neoichor family, the malware checks for internet connectivity by contacting with the request format<GetTickCount> and drops files as ~atemp and ~btemp containing error codes and debug resources.

The backdoors implanted collect system information such as IP address, OS version, system language ID, computer name and signed in username. The basic functionalities of these backdoors are to launch a process, upload a file, download a file and execute shellcode in memory.


The following guidance can help mitigate the techniques and threat activity described in this blog:

Block credential stealing from the Windows local security authority subsystem (lsass.exe)
PDF Download: NICKEL Targeting Government Organizations.pdf