The Microsoft Threat Intelligence Center (MSTIC) has discovered a malicious actor dubbed NICKEL, who is based in China, and targets its attacks on governments, diplomatic entities and non-governmental organizations (NGO) throughout Central and South America, the Caribbean, Europe and North America.

MSTIC has been tracking NICKEL since 2016, but it wasn’t until a few hours ago that Microsoft’s Digital Crimes Unit (DCU) announced the successful seizure of a set of websites operated by NICKEL and the disruption of its ongoing attacks targeting organizations in 29 countries, following an injunction from a court in the United States that gave Microsoft the authority to seize these sites.

The Redmond believes NICKEL has achieved long-term access to several goals, allowing him to perform activities such as regularly scheduled data exfiltration.

“As China’s influence around the world continues to grow and the nation establishes bilateral relations with more countries and expands partnerships in support of the China Belt and Road Initiative, we assess threat actors based on China will continue to target clients in the government, diplomatic and NGO sectors for new insights. ” Microsoft believes the objective is economic espionage and gathering information.

Spain does not seem affected for now, according to Microsoft research, but it does Argentina, Colombia, Mexico, Panama, Venezuela, Ecuador and Peru in Latin America or France, Italy, Portugal and the United Kingdom, close neighbors to our country in Europe. The complete list of the attacked countries is on the previous map. Microsoft is notifying customers that they have been attacked or compromised, although it has not made this information public.

Microsoft advises its customers in general that check the activity of your operating system and your computers as soon as possible and that they implement risk mitigations and investigate suspicious behaviors that match the tactics outlined in this blog.

MSTIC has observed that NICKEL actors use exploits against unpatched systems to compromise remote access services and devices. “Once the intrusion has been successful, they have used credential dumpers or stealers to obtain legitimate credentials, the NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victims’ networks for long periods of time. MSTIC has also observed that NICKEL conducts frequent and scheduled data collection and exfiltration. “

NICKEL succeeds in compromising networks by attacking Internet-facing web applications running on Microsoft Exchange and SharePoint. They also attack remote access infrastructure, like unpatched VPN devices. Namely, Nickel was able to compromise VPN providers or obtain stolen credentials, while in other cases, they took advantage of unpatched Exchange Server and SharePoint systems.

In addition, NICKEL usually deploys a keylogger to capture the credentials of the users of the compromised systems. We have observed that NICKEL uses Mimikatz, WDigest (an old authentication method that allows the attacker to access credentials in clear text), NTDSDump and others password dump tools to collect credentials on a system and in browsers.

According to the Windows manufacturer, the Leeson, Neoichor and NumbIdea malware families often use the COM interface of Internet Explorer (IE) to connect and receive commands from encrypted C2 servers. Due to their dependency on IE, these malware families intentionally configure browser settings by modifying various registry entries. They then connect to the C2 servers and the url requests follow new formats.

A typical C2 server response is a legitimate looking web page containing the string “! DOCTYPE html”, which the malware checks. The malware then locates a Base64-encoded blob, which it decodes, and proceeds to load as shellcode.

NICKEL implants are back doors capable of collecting information from the system, such as: IP address, version of the operating system, System language ID, computer name and registered username. MSTIC has observed that NICKEL places its malware in the paths of installed programs. This malware appears to be files used by an installed application. An example of a route would be C: Program Files (x86) Adobe Flash Player AddIns airappinstaller airappinstall.exe.