Researchers at ESET have uncovered several cyber espionage campaigns carried out by the MoustachedBouncer group, which is linked to the Belarusian government. These cyber criminals used a variety of techniques to target foreign embassies in the country, using the NightClub and Disco malware, leaverage on several techniques including Adversary-in-The-Middle (AiTM) tactics carried out in cooperation with certain Internet Service Providers (ISPs).

image

According to ESET’s findings, MoustachedBouncer has been manipulating traffic at the ISP level to display a fake Windows update through a captive portal. The two ISPs involved are Beltelecom (state-controlled) and Unitary Enterprise AI (private). It is suspected that the cyber criminals have gained control of their infrastructure or received direct assistance. The fake update page is only displayed when the internet is accessed from the embassies. image

When an unsuspecting victim clicks on the download button, a ZIP archive containing a fake installer is downloaded. This installer creates a scheduled task and downloads the NightClub and Disco malware loaders.

image

NightClub has the ability to read emails, capture screenshots, record audio and keystrokes and send all this data to the command and control (C2) server.

Disco provides several plugins: it can capture screenshots every 15 seconds, run PowerShell scripts, exploit an older Windows vulnerability to gain elevated privileges and set up a reverse proxy. This malware uses the SMB protocol for data exfiltration, eliminating the need for a separate C2 server.

Indicators of Compromise

SHA-1/IP/Domain/Email
02790DC4B276DFBB26C714F29D19E53129BB6186
6EFF58EDF7AC0FC60F0B8F7E22CFE243566E2A13
E65EB4467DDB1C99B09AE87BA0A964C36BAB4C30
3A9B699A25257CBD0476CB1239FF9B25810305FE
19E3D06FBE276D4AAEA25ABC36CC40EA88435630
52BE04C420795B0D9C7CD1A4ACBF8D5953FAFD16
0241A01D4B03BD360DD09165B59B63AC2CECEAFB
A01F1A9336C83FFE1B13410C93C1B04E15E2996C
C2AA90B441391ADEFAA3A841AA8CE777D6EC7E18
C5B2323EAE5E01A6019931CE35FF7623DF7346BA
C46CB98D0CECCB83EC7DE070B3FA7AFEE7F41189
A3AE82B19FEE2756D6354E85A094F1A4598314AB
4F1CECF6D05571AE35ED00AC02D5E8E0F878A984
0DAEA89F91A55F46D33C294CFE84EF06CE22E393
11CF38D971534D9B619581CEDC19319962F3B996
F92FE4DD679903F75ADE64DC8A20D46DFBD3B277
6999730D0715606D14ACD19329AF0685B8AD0299
6E729E84C7672F048ED8AE847F20A0219E917FA3
0401EE7F3BC384734BF7E352C4C4BC372840C30D
5B55250CC0DA407201B5F042322CFDBF56041632
D14D9118335C9BF6633CB2A41023486DACBEB052
E6DE72516C1D4338D7E45E028340B54DCDC7A8AC
3AD77281640E7BA754E9B203C8B6ABFD3F6A7BDD
142FF0770BC6E3D077FBB64D6F23499D9DEB9093
FE9527277C06D7F986161291CE7854EE79788CB8
92115E21E565440B1A26ECC20D2552A214155669
DE0B38E12C0AF0FD63A67B03DD1F8C1BF7FA6128
D2B715A72BBA307CC9BF7690439D34F62EDF1324
DF8DED42F9B7DE1F439AEC50F9C2A13CD5EB1DB6
185.87.148[.]86
185.87.151[.]130
45.136.199[.]67
45.136.199[.]129
24.9.51[.]94
35.214.56[.]2
38.9.8[.]78
52.3.8[.]25
59.6.8[.]25
209.19.37[.]184
fhtgbbwi@mail[.]ru
nvjfnvjfnjf@mail[.]ru
glen.morriss75@seznam[.]cz
SunyaF@seznam[.]cz
windows.network.troubleshooter[.]com
updates.microsoft[.]com

MITRE ATT&CK techniques

Tactic ID Name Description
Reconnaissance T1590.005 Gather Victim Network Information: IP Addresses MoustachedBouncer operators have collected IP addresses, or address blocks, of their targets in order to modify network traffic for just those addresses.
Initial Access T1189 Drive-by Compromise Disco is delivered via a fake Windows Update website.
Execution T1204.002 User Execution: Malicious File Disco needs to be manually executed by the victim.
Persistence T1053.005 Scheduled Task/Job: Scheduled Task Disco persists as a scheduled task that downloads an executable from a “fake” SMB share every minute.
  T1543.003 Create or Modify System Process: Windows Service NightClub persists as a ServiceDll of a service named WmdmPmSp.
Privilege Escalation T1068 Exploitation for Privilege Escalation Disco has a plugin to exploit the CVE-2021-1732 local privilege escalation vulnerability.
Defense Evasion T1140 Deobfuscate/Decode Files or Information Since 2020, NightClub has used an external configuration file encrypted with RSA.
Collection T1005 Data from Local System NightClub steals recent files from the local system.
  T1025 Data from Removable Media NightClub steals files from the local system.
  T1056.001 Input Capture: Keylogging NightClub has a plugin to record keystrokes.
  T1113 Screen Capture NightClub and Disco each have a plugin to take screenshots.
  T1123 Audio Capture NightClub has a plugin to record audio.
Command and Control T1071.002 Application Layer Protocol: File Transfer Protocols Disco communicates via the SMB protocol.
  T1071.003 Application Layer Protocol: Mail Protocols NightClub communicates via the SMTP protocol.
  T1071.004 Application Layer Protocol: DNS One of the NightClub plugins is a backdoor that communicates via DNS.
  T1132.001 Data Encoding: Standard Encoding NightClub encodes files, attached to email, in base64.
  T1132.002 Data Encoding: Non-Standard Encoding NightClub encodes commands and responses sent via its DNS C&C channel with a modified form of base64.
  T1573.001 Encrypted Channel: Symmetric Cryptography NightClub receives plugins in email attachments, encrypted using AES-CBC.
  T1557 Adversary-in-the-Middle MoustachedBouncer has performed AitM at the ISP level to redirect its targets to a fake Windows Update page. It has also done AitM on the SMB protocol to deliver malicious files from “fake” servers.
Exfiltration T1041 Exfiltration Over C2 Channel NightClub and Disco exfiltrate data over the C&C channel (SMTP, SMB, and DNS).
Impact T1565.002 Data Manipulation: Transmitted Data Manipulation MoustachedBouncer has modified the HTTP traffic from specific IP addresses at the ISP level in order to redirect its targets to a fake Windows Update page.