A hacking group referred to as ‘MoustachedBouncer’ has caught the attention of cybersecurity researchers. They have executed a series of adversary-in-the-middle (AitM attacks). These AitM Attacks aims at foreign embassies in Belarus.
According to a report from ESET, released today, the group has been launching these AitM Attacks campaigns since at least 2014. The focus on Belarusian ISPs has been in observation since 2020.
MoustachedBouncer’s Signature Malware
NightClub and Disco
The group is known for two specific malware frameworks. They are ‘NightClub,’ in operation since 2014, and ‘Disco,’ launched in 2020. These frameworks have been essential tools for capturing data, taking screenshots, and recording audio, among other things.
Utilizing AiTM Attacks
The recent approach involves using AiTM attacks at the ISP level. The targeted Windows 10 installation is deceived into assuming it stands behind a captive portal.
The ISPs affected by MoustachedBouncer’s activities include Beltelecom, a state-owned company, and Unitary Enterprise AI, a prominent private firm.
Manipulating Traffic: An Inside Look of AitM Attacks
ESET believes the hackers achieve their goal through traffic manipulation. They either breach the ISP infrastructure or collaborate with those having access to Belarus’ network service providers.
For targeted IP ranges, the network traffic is altered at the ISP level. A seemingly legitimate but fake Windows Update URL is then redirected to the victim.
Upon network connection, the fake Windows Update page appears. It leads the victim to download a ZIP file. This file contains Go-based malware that executes every minute.
The malware payloads include variations of ‘NightClub’ and ‘Disco.’ These have shown significant evolution over the years.
NightClub Malware: An In-depth Look
NightClub was the initial malware framework of the espionage group. It has been traces since 2014 by ESET’s analysts.
Early versions of NightClub were for file monitoring and email exfiltration. They communicated with command and control servers.
The newest version, used between 2020 and 2022, brings new capabilities. These include taking screenshots, recording audio, keylogging, and establishing DNS-tunneling backdoors.
The latest NightClub version incorporates a hardcoded private RSA-2048 key. It encrypts its strings while storing its configuration in an external file, adding stealth and adaptability.
Disco Malware: A New Addition
Disco, a newer malware framework, came into light in 2020. It extends its reach via the aforementioned AitM-based attack chain.
The malware has capabilities such as:
- Taking screenshots every 15 seconds
- Executing PowerShell scripts
- Exploiting specific vulnerabilities to elevate privileges
- Setting up reverse proxies
Disco uses SMB (Server Message Block) shares for data exfiltration. This process protects direct transfer to the C2 server.
Final Note: Protecting Diplomats from AitM Attacks
MoustachedBouncer’s C2 infrastructure remains hidden from the public internet. It is secure from security researchers and immune to takedowns.
ESET strongly advises diplomats and embassy employees in Belarus to employ end-to-end encrypted VPN tunnels. It helps in accessing the internet securely and shielding against AiTM attacks.
In conclusion, the MoustachedBouncer hacking group represents a new cyberthreat. Their methods and continual evolution underscore the importance of vigilant cybersecurity measures and ongoing awareness.