{"id":102477,"date":"2021-12-06T13:00:05","date_gmt":"2021-12-06T21:00:05","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=102477"},"modified":"2023-08-10T13:40:17","modified_gmt":"2023-08-10T20:40:17","slug":"nickel-targeting-government-organizations-across-latin-america-and-europe","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/12\/06\/nickel-targeting-government-organizations-across-latin-america-and-europe\/","title":{"rendered":"NICKEL targeting government organizations across Latin America and Europe"},"content":{"rendered":"

The Microsoft Threat Intelligence Center (MSTIC) has observed NICKEL, a China-based threat actor, targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, the Caribbean, Europe, and North America. MSTIC has been tracking NICKEL since 2016 and observed some common activity with other actors known in the security community as APT15, APT25, and KeChang. Today, the Microsoft Digital Crimes Unit (DCU) announced the successful seizure of a set of NICKEL-operated websites<\/a> and disruption of their ongoing attacks targeting organizations in 29 countries, following a court order from the U.S. District Court for the Eastern District of Virginia granting Microsoft the authority to seize these sites.<\/p>\n

MSTIC has tracked the current NICKEL operations, including attacks against government organizations, diplomatic entities, and NGOs, since September 2019. During this time, NICKEL activity has been observed across several countries, with a large amount of activity targeting Central and South American governments. Notably, NICKEL has achieved long-term access to several targets, allowing NICKEL to conduct activities such as regularly scheduled exfiltration of data. As China\u2019s influence around the world continues to grow and the nation establishes bilateral relations with more countries and extends partnerships in support of China\u2019s Belt and Road Initiative, we assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives. Portions of the NICKEL activity we are highlighting have also been blogged about by our colleagues at ESET<\/a>.<\/p>\n

\"Map<\/p>\n

Figure <\/em>1<\/em>: NICKEL targeted countries<\/em>: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom, United States of America, Venezuela<\/em><\/p>\n

As with any observed nation-state actor activity, Microsoft continues to notify customers that have been targeted or compromised, providing them with the information they need to help secure their organizations. To reduce the potential impact of this NICKEL activity, Microsoft encourages our customers to immediately review the activity and guidance below, then implement risk mitigations, harden environments, and investigate suspicious behaviors that match the tactics described in this blog. MSTIC will continue to observe, monitor, and notify affected customers and partners, when possible, through our nation-state notification process.<\/p>\n

Observed activity<\/h2>\n

MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks.<\/p>\n

NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances, as referenced in the FireEye April 2021<\/a> blog detailing a 0-day vulnerability in Pulse Secure VPN that has since been patched<\/a>.<\/p>\n

After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. We\u2019ve observed NICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker access to credentials in clear text), NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers.<\/p>\n


\n<\/strong>Deploying malware for command and control
\nMSTIC tracks multiple malware families used by NICKEL for command and control as Neoichor, Leeson, NumbIdea, NullItch, and Rokum.<\/p>\n

The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers. Due to their reliance on IE, these malware families intentionally configure the browser settings by modifying the following registry entries:<\/p>\n

[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]
\nStart Page = \u201cabout:blank\u201d
\nDisableFirstRunCustomize = 1
\nRunOnceComplete = 1
\nRunOnceHasShown = 1
\nCheck_Associations = 1<\/code><\/p>\n

[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery]
\nAutoRecover = 0<\/code><\/p>\n

[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy]
\nClearBrowsingHistoryOnExit = 1<\/code><\/p>\n

[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Connection Wizard]
\nCompleted = 1<\/code><\/p>\n

[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap]
\nIEHarden = 0<\/code><\/p>\n

When connecting to the C2 servers, the URL requests follow these formats:<\/p>\n

http[:]\/\/<C2>?id=<5-digit-rand><system-specific-string>
\nhttp[:]\/\/<C2>?setssion==<rand><GetTickCount>
\nhttp[:]\/\/<C2>?newfrs%dsetssion=<rand><GetTickCount>
\nhttp[:]\/\/<C2>\/index.htm?content=<base64-system-specifc-string>&id=<num><\/code><\/p>\n

A typical response from the C2 server is a legitimate-looking webpage containing the string \u201c!DOCTYPE html\u201d, which the malware checks. The malware then locates a Base64-encoded blob, which it decodes and proceeds to load as a shellcode.<\/p>\n

For the Neoichor family, the malware checks for internet connectivity by contacting bing.com<\/em> with the request format bing.com?id=<GetTickCount> and drops files as ~atemp and ~btemp containing error codes and debug resources.<\/p>\n

The NICKEL implants are backdoors capable of collecting system information, such as:<\/p>\n