Threatening actors would have attacked 29 government agencies around the world in a recent malicious campaign. The attacks have been attributed to the China-based Advanced Persistent Threat (APT) group, Nickel, which is known to track down governments and non-governmental organizations (NGOs) across Europe, the Americas and the Caribbean.
To date, Microsoft has entered 42 areas that the threat actors used for the attacks. We took a closer look at these web properties using WHOIS tools to find more information that might be useful to fellow researchers and IT security teams. Our findings include the following:
- Some of the 42 domains appeared to have rich WHOIS histories, with an average of nine WHOIS records each.
- The majority of the 42 domains were likely newly registered when used for targeted attacks.
- We found 2,953 additional domains that Microsoft entered over time.
As part of our ongoing efforts to enable cybersecurity analysts and researchers to continue their education, we have gathered all the relevant data and made it available to anyone interested. You can download the threat research material here.
What we know so far
Microsoft has been following Nickel since 2016, allowing it to bring together the 42 domains they were seeking to seize. They obtained approval for the seizure in federal court in Virginia before proceeding with the process.
The Nickel attacks used hard-to-detect malware that allowed malicious actors to spy on and steal data from target organizations in 29 countries. Agencies in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom, the United States and Venezuela were among the victims of the group.
What the WHOIS intelligence sources and OSINT search revealed
We began our in-depth review by submitting the 42 entered domains to Historical WHOIS Lookups. The majority of domains were probably newly registered when used as threat vectors. But some may not have been new, like the oldest estate, palazzochigi[.]com, which dates back to April 14, 2011, five years before Nickel potentially began launching APTs. Graph 1 shows the analysis by domain creation date.
The majority of domains (22 or 52%) were created in 2020. The remaining half of the sample was created within the last decade.
We also looked at the historical WHOIS records for the 42 seized domains and found that a large portion (31 or 74%) listed China as their last known country of registration. Figure 2 shows the analysis based on the last known country registering domains.
Due to their age, domains had an average of nine historical WHOIS records each. Chart 3 shows their ages in more detail.
Most domains (9 or 21%) had nine historical WHOIS records since their creation date. The older a domain, the more historical WHOIS records it has.
According to Microsoft, access to the seized domains would lead to a backdoor infection, especially in Backdoor: Win32 / Leeson! MSR or the Leeson malware, which was detected on November 30, 2021. It disguises itself as legitimate applications and connects compromised systems to hard-coded Command and Control (C&C) servers. This allows malicious actors to collect information including their IP address, operating system (OS) version, system language ID, computer name, and user name of the system. currently logged in user.
The fact that the last known reporting country by almost a third of the sample was China is consistent with the origin of nickel. The names of the registered countries were obtained from dates of historical WHOIS records between March 17 and November 1, 2021. These dates may coincide with the last time each domain was used in attacks. If so, then we can say that the targeted attacks instigated by Nickel continued until last month, before Microsoft had the power to seize the group’s domains.
Microsoft, through its Digital Crimes Unit, has seized domains since its inception in 2008. It focuses on seven areas, namely Business Email Compromise (BEC), Malware, Ransomware, Tech Support Fraud, Exploitation of children online, the integrity of business operations and technological advancements. Part of its job is to remove components of threat infrastructure, including the 42 areas discussed in this article.
The domains entered currently show “Digital Crimes Unit” as the reporting organization. They are not the only ones, however, according to the results of a reverse whois search for the chain. We found 2,953 other domains, which Microsoft also seized in a number of attacks. Examples include unicy[.]with mini purse[.]to, and optiker-gramm[.]to, who were connected to a botnet belonging to a certain John Does.
The history of WHOIS, as we’ve seen in this article, can give us additional insight into the rationale for some security findings, such as why cybersecurity experts say nickel originated from China. Reverse WHOIS lookups, on the other hand, can help users with more in-depth searches for better cybersecurity.
If you would like to conduct a similar survey, please feel free to Contact us. We are always on the lookout for potential research collaborations.