ESET Research, a leading cybersecurity firm, has revealed the existence of a previously unknown cyberespionage group named MoustachedBouncer. The group, named after its association with Belarus, is believed to align with the interests of the local government. Operating since at least 2014, MoustachedBouncer’s primary targets are foreign embassies in Belarus, with a focus on European diplomatic missions. The findings were unveiled exclusively during the Black Hat USA 2023 conference on August 10, 2023, by ESET researcher Matthieu Faou.
The group’s activities involve conducting adversary-in-the-middle (AitM) attacks at the Internet Service Provider (ISP) level within Belarus. These attacks enable MoustachedBouncer to compromise its targets with increased efficiency. ESET has identified two distinct toolsets employed by the group, named NightClub and Disco.
ESET’s telemetry indicates that MoustachedBouncer exclusively targets foreign embassies in Belarus. The group’s reach extends to embassies from four countries: two from Europe, one from South Asia, and one from Africa. ESET’s assessment suggests that the group is likely aligned with Belarus’ interests and specializes in espionage directed at foreign embassies within the country.
MoustachedBouncer employs advanced techniques for Command and Control (C&C) communications, including network interception at the ISP level for the Disco implant. The NightClub implant utilizes email for communication, and a NightClub plugin employs DNS for C&C purposes.
MoustachedBouncer compromise via AitM scenario
Although MoustachedBouncer is tracked as a distinct entity, ESET has identified indicators hinting at potential collaboration with another espionage group, Winter Vivern. Winter Vivern has targeted government personnel in European nations like Poland and Ukraine throughout 2023.
MoustachedBouncer’s modus operandi involves tampering with victims’ internet access, potentially at the ISP level. This manipulation tricks Windows into perceiving it’s behind a captive portal. The group redirects network traffic to a fraudulent Windows Update page for specific IP ranges they target. This “adversary-in-the-middle” technique is reminiscent of tactics employed by threat actors such as Turla and StrongPity.
While the possibility of router compromise can’t be ruled out, ESET asserts that the traffic manipulation likely occurs at the ISP level, given the presence of lawful interception capabilities in Belarus.
ESET’s analysis shows that MoustachedBouncer’s malware families have evolved since 2014, with a significant shift occurring in 2020. The group began employing adversary-in-the-middle attacks, enhancing their operational effectiveness. MoustachedBouncer utilizes both the Disco and NightClub implants in parallel but only deploys one on a specific machine. Disco is believed to work alongside AitM attacks, while NightClub is used for victims utilizing end-to-end encrypted VPNs that route internet traffic outside Belarus.
Matthieu Faou, ESET researcher, emphasizes the importance of heightened cybersecurity measures, stating, “Organizations in countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic.” Faou also underscores the significance of utilizing updated computer security software.
The NightClub implant employs free email services, including Seznam.cz and Mail.ru, to exfiltrate data. ESET believes the attackers created their email accounts instead of compromising legitimate ones. NightClub’s capabilities encompass file theft, drive monitoring, audio recording, screenshot capture, and keystroke logging.
The discovery of MoustachedBouncer highlights the evolving landscape of cyberespionage and underscores the critical importance of advanced cybersecurity measures for organizations operating in potentially compromised online environments.
You must log in to post a comment.