Backdoor:Win32/Leeson!MSR

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus detects and removes this threat.

This threat is one of the malware families utilized by NICKEL for command-and-control (C2). It typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers.

NICKEL is a nation-state threat actor targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, the Caribbean, Europe, and North America. Read the following blog for details:

NICKEL targeting government organizations across Latin America and Europe

To help reduce the impact of this threat, you can:

Contact your incident response team and start the incident response process. If you don't have one, contact Microsoft support for investigation and remediation services.
Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
Scope the incident. Find related devices, network addresses, and files in the incident graph.
Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Type	Indicator
SHA-256	02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2
SHA-256	0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c
SHA-256	0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c
SHA-256	10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95
SHA-256	12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21
SHA-256	1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49
SHA-256	22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844
SHA-256	259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef
SHA-256	26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822
SHA-256	35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2
SHA-256	3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838
SHA-256	3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65
SHA-256	3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6
SHA-256	3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1
SHA-256	3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90
SHA-256	6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b
SHA-256	6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce
SHA-256	7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0
SHA-256	926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c
SHA-256	95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a
SHA-256	a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b
SHA-256	afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a
SHA-256	b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124
SHA-256	c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa
SHA-256	c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda
SHA-256	ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94
SHA-256	ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6
SHA-256	d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce
SHA-256	d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6
SHA-256	e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba
Domain name	beesweiserdog[.]com
Domain name	bluehostfit[.]com
Domain name	business-toys[.]com
Domain name	cleanskycloud[.]com
Domain name	cumberbat[.]com
Domain name	czreadsecurity[.]com
Domain name	dgtresorgouv[.]com
Domain name	dimediamikedask[.]com
Domain name	diresitioscon[.]com
Domain name	elcolectador[.]com
Domain name	elperuanos[.]org
Domain name	eprotectioneu[.]com
Domain name	fheacor[.]com
Domain name	followthewaterdata[.]com
Domain name	francevrteepress[.]com
Domain name	futtuhy[.]com
Domain name	gardienweb[.]com
Domain name	heimflugaustr[.]com
Domain name	ivpsers[.]com
Domain name	jkeducation[.]org
Domain name	micrlmb[.]com
Domain name	muthesck[.]com
Domain name	netscalertech[.]com
Domain name	newgoldbalmap[.]com
Domain name	news-laestrella[.]com
Domain name	noticialif[.]com
Domain name	opentanzanfoundation[.]com
Domain name	optonlinepress[.]com
Domain name	palazzochigi[.]com
Domain name	pandemicacre[.]com
Domain name	papa-ser[.]com
Domain name	pekematclouds[.]com
Domain name	pipcake[.]com
Domain name	popularservicenter[.]com
Domain name	projectsyndic[.]com
Domain name	qsadtv[.]com
Domain name	sankreal[.]com
Domain name	scielope[.]com
Domain name	seoamdcopywriting[.]com
Domain name	slidenshare[.]com
Domain name	somoswake[.]com
Domain name	squarespacenow[.]com
Domain name	subapostilla[.]com
Domain name	suzukicycles[.]net
Domain name	tatanotakeeps[.]com
Domain name	tijuanazxc[.]com
Domain name	transactioninfo[.]net
Domain name	eurolabspro[.]com
Domain name	adelluminate[.]com
Domain name	headhunterblue[.]com
Domain name	primenuesty[.]com

Backdoor:Win32/Leeson!MSR

Summary

What to do now

Technical information

Threat behavior

Indicators of compromise (IOC)

Prevention

Symptoms