Researchers at ESET have uncovered several cyber espionage campaigns carried out by the MoustachedBouncer group, which is linked to the Belarusian government. These cyber criminals used a variety of techniques to target foreign embassies in the country, using the NightClub and Disco malware, leaverage on several techniques including Adversary-in-The-Middle (AiTM) tactics carried out in cooperation with certain Internet Service Providers (ISPs).
According to ESET’s findings, MoustachedBouncer has been manipulating traffic at the ISP level to display a fake Windows update through a captive portal. The two ISPs involved are Beltelecom (state-controlled) and Unitary Enterprise AI (private). It is suspected that the cyber criminals have gained control of their infrastructure or received direct assistance. The fake update page is only displayed when the internet is accessed from the embassies.
When an unsuspecting victim clicks on the download button, a ZIP archive containing a fake installer is downloaded. This installer creates a scheduled task and downloads the NightClub and Disco malware loaders.
NightClub has the ability to read emails, capture screenshots, record audio and keystrokes and send all this data to the command and control (C2) server.
Disco provides several plugins: it can capture screenshots every 15 seconds, run PowerShell scripts, exploit an older Windows vulnerability to gain elevated privileges and set up a reverse proxy. This malware uses the SMB protocol for data exfiltration, eliminating the need for a separate C2 server.
Indicators of Compromise
MITRE ATT&CK techniques
|Reconnaissance||T1590.005||Gather Victim Network Information: IP Addresses||MoustachedBouncer operators have collected IP addresses, or address blocks, of their targets in order to modify network traffic for just those addresses.|
|Initial Access||T1189||Drive-by Compromise||Disco is delivered via a fake Windows Update website.|
|Execution||T1204.002||User Execution: Malicious File||Disco needs to be manually executed by the victim.|
|Persistence||T1053.005||Scheduled Task/Job: Scheduled Task||Disco persists as a scheduled task that downloads an executable from a “fake” SMB share every minute.|
|T1543.003||Create or Modify System Process: Windows Service||NightClub persists as a ServiceDll of a service named WmdmPmSp.|
|Privilege Escalation||T1068||Exploitation for Privilege Escalation||Disco has a plugin to exploit the CVE-2021-1732 local privilege escalation vulnerability.|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information||Since 2020, NightClub has used an external configuration file encrypted with RSA.|
|Collection||T1005||Data from Local System||NightClub steals recent files from the local system.|
|T1025||Data from Removable Media||NightClub steals files from the local system.|
|T1056.001||Input Capture: Keylogging||NightClub has a plugin to record keystrokes.|
|T1113||Screen Capture||NightClub and Disco each have a plugin to take screenshots.|
|T1123||Audio Capture||NightClub has a plugin to record audio.|
|Command and Control||T1071.002||Application Layer Protocol: File Transfer Protocols||Disco communicates via the SMB protocol.|
|T1071.003||Application Layer Protocol: Mail Protocols||NightClub communicates via the SMTP protocol.|
|T1071.004||Application Layer Protocol: DNS||One of the NightClub plugins is a backdoor that communicates via DNS.|
|T1132.001||Data Encoding: Standard Encoding||NightClub encodes files, attached to email, in base64.|
|T1132.002||Data Encoding: Non-Standard Encoding||NightClub encodes commands and responses sent via its DNS C&C channel with a modified form of base64.|
|T1573.001||Encrypted Channel: Symmetric Cryptography||NightClub receives plugins in email attachments, encrypted using AES-CBC.|
|T1557||Adversary-in-the-Middle||MoustachedBouncer has performed AitM at the ISP level to redirect its targets to a fake Windows Update page. It has also done AitM on the SMB protocol to deliver malicious files from “fake” servers.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||NightClub and Disco exfiltrate data over the C&C channel (SMTP, SMB, and DNS).|
|Impact||T1565.002||Data Manipulation: Transmitted Data Manipulation||MoustachedBouncer has modified the HTTP traffic from specific IP addresses at the ISP level in order to redirect its targets to a fake Windows Update page.|