Threat actors reportedly attacked 29 government agencies worldwide in a recent malicious campaign. The attacks were attributed to China-based advanced persistent threat (APT) group Nickel, which has been known to trail its sights on governments and nongovernmental organizations (NGOs) across Europe, the Americas, and the Caribbean.

To date, Microsoft seized 42 domains that threat actors used for the attacks. We took a closer look at these web properties using WHOIS tools to find more information that may be useful for fellow researchers and IT security teams. Our findings include the below:

• Some of the 42 domains appeared to have rich WHOIS histories, with an average of nine WHOIS records each.
• A majority of the 42 domains were likely newly registered when they were used for targeted attacks.
• We found an additional 2,953 domains that Microsoft has seized over time.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made them available to anyone interested. You may download the related threat research materials here.

What We Know So Far

Microsoft has been tracking Nickel since 2016, allowing it to collate the 42 domains that they sought to seize. They obtained seizure approval from a federal court in Virginia before proceeding with the process.

The Nickel attacks used hard-to-detect malware that allowed the threat actors to spy on and steal data from target organizations spread across 29 countries. Agencies in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, the Czech Republic, the Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the U.K., the U.S., and Venezuela were among the group’s victims.

What WHOIS Intelligence Sources and OSINT Research Revealed

We began our in-depth look by subjecting the 42 seized domains to historical WHOIS searches. A majority of the domains were likely newly registered when they were used as threat vectors. But some may not have been new, such as the oldest domain, palazzochigi[.]com, which creation date goes as far back as 14 April 2011, five years before Nickel potentially began launching APTs. Chart 1 shows the analysis by domain creation date.

A majority of the domains (22 or 52%) were created in 2020. The remaining half of the sample were created over the past decade.

We also scrutinized the historical WHOIS records of the 42 seized domains and found that a huge bulk (31 or 74%) indicated China as their last known registrant country. Chart 2 shows the analysis based on the domains’ last known registrant country.

Owing to their age, the domains had an average of nine historical WHOIS records each. Chart 3 shows their ages in greater detail.

Most of the domains (9 or 21%) had nine historical WHOIS records since their creation date. The older a domain is, the greater its number of historical WHOIS records.

According to Microsoft, accessing the seized domains would lead to a backdoor infection, specifically by Backdoor:Win32/Leeson!MSR or the Leeson malware, which was detected on 30 November 2021. It comes disguised as legitimate applications and connects compromised systems to hardcoded command-and-control (C&C) servers. That allows threat actors to collect information, including their IP address, operating system (OS) version, system language ID, computer name, and the username of the current signed-in user.

The fact that the last known registrant country of close to a third of the sample was China is consistent with Nickel’s origin. The registrant countries’ names were obtained from historical WHOIS records dates between 17 March and 1 November 2021. These dates may coincide with the last time each domain was used in attacks. If that’s the case, then we can say that Nickel-instigated targeted attacks went on until last month, before Microsoft was given the authority to seize the group’s domains.

Microsoft, through its Digital Crimes Unit, has been seizing domains since its establishment way back in 2008. It focuses on seven areas, namely, business email compromise (BEC), malware, ransomware, tech support fraud, online child exploitation, business operations integrity, and technological advances. Part of its task is to take down components of threat infrastructures, including the 42 domains featured in this post.

The seized domains currently indicate “Digital Crimes Unit” as their registrant organization. They aren’t the only ones, though, based on the results of a reverse WHOIS search for the string. We found 2,953 other domains, which Microsoft has also seized in relation to several attacks. Examples include unicy[.]at, miniexchange[.]at, and optiker-gramm[.]at, which were connected to a botnet owned by a certain John Does.

WHOIS history, as we’ve seen in this post, can give us additional insights into the rationale behind certain security findings, such as why cybersecurity experts say Nickel originated from China. Reverse WHOIS searches, meanwhile, can help users as part of deeper researches to ensure better cybersecurity.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.