Chinese Hacking Group ‘TA416’ Return With a Golang PlugX Malware Loader
Last updated September 28, 2021
Microsoft announced the Microsoft Digital Crimes Unit (DCU) took control of malicious websites used by a Chinese-based hacker group to attack entities in 29 countries, including the US. This happened after a federal court in Virginia granted Microsoft's request to seize websites on Monday to prevent the actors from accessing its victims or using the websites to carry out attacks. The group Microsoft named Nickel also goes by APT15, KE3CHANG, Royal APT, Vixen Panda, and Playful Dragon in other researchers' reports.
DCU said they believe these attacks were primarily used to gather intelligence from government agencies, think tanks, and human rights groups in both the private and public sectors, including diplomatic organizations and foreign affairs ministries across North America, Central America, South America, the Caribbean, and Europe.
The Microsoft Threat Intelligence Center (MSTIC) is tracking this threat group since 2015, and they recently noted that the attacks are extremely sophisticated and use a variety of techniques, mostly intending to deploy hard-to-detect malware to aid intrusion, data theft, surveillance. In some cases, they compromised VPNs or used stolen credentials they got through spear-phishing.
Nickel malware has been observed targeting unpatched Exchange Server and SharePoint systems as well, but Microsoft says no new vulnerabilities in its products are exploited in these attacks. The company also says Microsoft 365 Defender detects and protects users from Nickel.
Seizing the malicious websites and redirecting traffic to Microsoft's secure servers protects existing and potential victims while learning more about Nickel's activities. However, this disruption deprived the actors of a key infrastructure element they relied on for the last five attacks, even though it won't prevent them from continuing their activities.
As we can see in a Microsoft report, when looking at the compromised versus targeted success rate in the July 2020 - June 2021 period, Nickel succeeded at an astonishing rate of over 90%. Also, in April 2021, a Pulse Secure VPN 0-day exploit that was leveraged by Chinese nation-state threat actors was partly associated by Microsoft with Nickel. Chinese threat actors are expected to continue targeting entities to obtain information regarding investments and negotiations as China’s influence continues to shift in Central and South American countries and some European countries and with countries that are partners in their Belt and Road Initiative.
The tech giant's DCU has so far taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 by state actors through 24 lawsuits - five against nation-state actors. The tech giant reported that it had also been able to block the registration of 600,000 domains that actors planned to use for malicious purposes.