Microsoft Takes Down Malicious Websites Used By The China-based Hacking Group

Dozens of malicious websites were recently seized by Microsoft Threat Intelligence Center (MSTIC) that was operated by the Chinese APT group, NICKEL which targets several government and non-government organizations across Central and South America, the Caribbean, Europe, and North America.

Since 2016 Microsoft Threat Intelligence Center (MSTIC) has been tracking NICKEL, and till now NICKEL has compromised the servers of several organizations in more than 29 countries, and here is the list of targets:-

  • Government organizations
  • Diplomatic entities
  • Non-governmental organizations (NGOs)

However, the Digital Crimes Unit (DCU) of Microsoft has recently declared that they have successfully disrupted the ongoing attacks and malicious websites of NICKEL.

On December 2 a complaint was filed after which the US District Court for the Eastern District of Virginia granted an order to Microsoft to successfully manage to execute this operation.

Countries Targeted by NICKEL

Microsoft is working hard to notify all the affected users and encourage them to immediately review their recent activities. Here’s the list of all the countries that are targeted by NICKEL:-

  • Argentina
  • Barbados
  • Bosnia and Herzegovina
  • Brazil
  • Bulgaria
  • Chile
  • Colombia
  • Croatia
  • Czech Republic
  • Dominican Republic
  • Ecuador
  • El Salvador
  • France
  • Guatemala
  • Honduras
  • Hungary
  • Italy
  • Jamaica
  • Mali
  • Mexico
  • Montenegro
  • Panama
  • Peru
  • Portugal
  • Switzerland
  • Trinidad and Tobago
  • United Kingdom
  • United States of America
  • Venezuela

Here’s what the Corporate Vice President for Customer Security & Trust at Microsoft, Tom Burt stated:-

“NICKEL has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. All these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations.”

NICKEL Activity

The hackers behind NICKEL steal sensitive data and credentials from the compromised systems of users by deploying a keylogger. And to execute their operations they used the following TTPs to steal credentials from the targeted systems and browsers:-

  • Mimikatz
  • WDigest
  • NTDSDump
  • Password dumping tools

NICKEL implants have the ability to collect the following system data:-

  • IP address
  • OS version
  • System language ID
  • Computer name
  • Signed-in username

While the functionalities offered by the NICKEL backdoor are:-

  • Launching a process
  • Uploading a file
  • Downloading a file
  • Executing a shellcode in memory

Recommendation & Mitigation

Microsoft has recommended users to follow the following things:-

  • Implement risk mitigations
  • Harden environments
  • Investigate suspicious behaviors

Here are the mitigations below:-

  • Block legacy authentication protocols in Azure Active Directory.
  • Enable multi-factor authentication.
  • Use Microsoft Authenticator to secure accounts, it’s a passwordless solution.
  • Block ActiveSync clients from bypassing Conditional Access policies.

The rapid increase in such threats is frightening, that’s why the experts always recommend users to follow all the security measures properly to mitigate these types of threats.

Indicators of compromise (IOCs)

TypeIndicator
SHA-25602daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2
SHA-2560a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c
SHA-2560d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c
SHA-25610bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95
SHA-25612d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21
SHA-2561899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49
SHA-25622e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844
SHA-256259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef
SHA-25626debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822
SHA-25635c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2
SHA-2563ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838
SHA-2563bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65
SHA-2563c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6
SHA-2563dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1
SHA-2563fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90
SHA-2566854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b
SHA-2566b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce
SHA-2567944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0
SHA-256926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c
SHA-25695e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a
SHA-256a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b
SHA-256afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a
SHA-256b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124
SHA-256c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa
SHA-256c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda
SHA-256ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94
SHA-256ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6
SHA-256d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce
SHA-256d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6
SHA-256e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.