Dec 8, 2021
0 0

Microsoft disrupts China-based hacking group Nickel

Written by

We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Save 25% today on your first year of EP or EDR – See offer

Cybercrime | Reports
Posted: by
Last updated:
Microsoft has taken control of 42 web domains that a hacking group was using to try to breach its targets.
On December 2, the Microsoft Digital Crimes Unit (DCU) filed pleadings with the US District Court for the Eastern District of Virginia seeking authority to take control of the sites that it discovered belonged to a China-based group it calls Nickel. The court order was unsealed December 6 following completion of service on the hosting providers, and traffic from the websites is now routed to computer servers controlled by Microsoft.
The disruption is unlikely to prevent Nickel from pursuing its hacking activities, but it has put a spanner in its works, effectively removing a key piece of the infrastructure the group has been relying on for its latest wave of attacks. Sadly, any setback to the Chinese hacking group or others will likely be temporary as the hackers will find and build new infrastructure to use in forthcoming attacks.
Others in the security community who have researched this group of actors refer to the group by other names, including KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon. Malwarebytes generally uses the APT15 designation for this group.
The group’s activities have been traced back to 2010 when it performed a cyberespionage campaign directed at diplomatic organizations and missions in Europe.
Nickel’s techniques vary, but in the end the group’s activity has only one objective, namely to implant stealthy malware for getting into networks, stealing data, and spying on government agencies, think tanks, and human rights organizations.
For initial access, the DCU noticed Nickel using older, and patched, vulnerabilities in Microsoft products like Microsoft Exchange and SharePoint, but also compromised VPN suppliers or obtained stolen credentials. For lateral movement the DCU saw Nickel actors using Mimikatz, WDigest, NTDSDump, and other password dumping tools during attacks.
Then followed a drop of hard-to-detect malware that enabled intrusions, surveillance and data theft targeting organizations in Argentina, Barbados, Bosnia-Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad & Tobago, the UK, US, and Venezuela.
As a result, Nickel achieved long-term access to several targets, allowing the group to conduct activities such as regularly scheduled exfiltration of data. Microsoft Threat Intelligence Center (MSTIC) observed Nickel perform frequent and scheduled data collection and exfiltration from victim networks. The group’s activity included looking in directories of interest for new files added since the last time it collected data.
One method Nickel uses to hide malware is to drop it into existing installed software paths. The group did this to make the malware appear to be files used for an installed application. These are backdoors capable of collecting system information and have basic backdoor functionalities, including, but not limited to:
A long list of IOCs can be found at the end of this write-up about Nickel by MSTIC.
The Microsoft blog includes a call-to-action for industry, governments, civil society, and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace. There are some promising developments in this area, like the United States and the European Union joining the Paris Call for Trust and Security in Cyberspace, the Oxford Process which has brought together some of the best legal minds to evaluate the application of international law to cyberspace, and the United Nations taking critical steps to advance dialogue across stakeholders. Nevertheless, every entity with the relevant expertise and resources needs to do whatever they can to help bolster trust in technology and protect the digital ecosystem.
Stay safe, everyone!
December 2, 2021 – Emotet is using a new attack vector, which makes Microsoft look bad. How does malware end up on Microsoft’s Azure cloud service and get distributed to victims from there?
December 1, 2021 – Uptake on Windows 11 is apparently very low. We take a look at some of the reasons for this, and why it might not be such a bad thing.
Exploits and vulnerabilities
November 24, 2021 – A variant of an already patched vulnerability was disclosed by a researcher frustrated by Microsoft’s rewards.
November 24, 2021 – Microsoft analysed the passwords that were attempted in over 25 million brute force attacks on their honeypots. What can we learn?
November 15, 2021 – The intelligence team at Microsoft has revealed that cybercriminals are increasingly using a tactic called HTML smuggling. What is it, and why should internet users be concerned?

Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Silouette of person

See all threats
Threat Center

Malwarebytes Podcast

Book with bookmark

Suspicious person

Write for Malwarebytes Labs
Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.


Article Categories:

Comments are closed.