Tuesday, December 3, 2024
HomeCyber AttackMoustachedBouncer Attacking Foreign Embassies Using NightClub and Disco Hacking Tools

MoustachedBouncer Attacking Foreign Embassies Using NightClub and Disco Hacking Tools

Published on

SIEM as a Service

MoustachedBouncer, a cyberespionage group active since 2014, likely has performed ISP-level adversary-in-the-middle (AitM) attacks since 2020 to compromise its targets.

For AitM, the MoustachedBouncer employs a lawful interception system like “SORM,” and besides this, it uses two toolsets that we have mentioned below:-

  • NightClub
  • Disco

Cybersecurity researchers at ESET recently identified that MoustachedBouncer, reportedly backed by Belarus, targets foreign diplomats using its two toolsets that we have mentioned above from the following countries for nearly a decade:-

- Advertisement - SIEM as a Service
  • Europe
  • South Asia
  • Africa 
Document
FREE Webinar

API Security Fundamentals: How to Discover, Scan and Protect APIs

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

MoustachedBouncer Attacking Foreign Embassies

While it’s been suspected that MoustachedBouncer collaborated with Winter Vivern, active since 2021. Not only that even they also manipulated the victim’s ISP access and tricked the Windows 10 operating system with the imprisoned portal illusion.

ESET telemetry shows MoustachedBouncer targets embassies in Belarus, with staff from four countries affected:-

  • Two from European
  • One from South Asian
  • One from African
MoustachedBouncer activity timeline (Source – ESET)

Over time, the TTPs of the group evolved dramatically and it’s been active from 2014 to 2022. However, the AitM attacks by the group are observed in 2020, but, here the exceptional thing is that the targeted verticals remain the same.

MoustachedBouncer manipulates ISP to redirect victims in targeted IP ranges to deceptive, genuine-looking Windows Update URLs that we have mentioned below:-

  • http://updates.microsoft[.]com/

Victims encounter fake Windows Update pages with urgent security alerts, in which users are provided with a button that is dubbed “Get updates,” clicking on it triggers malicious file download through executed JavaScript.

Fake Windows Update Page (Source – ESET)

MoustachedBouncer’s AitM technique resembles Turla and StrongPity, which trojanize installers at the ISP level, similar to MoustachedBouncer’s approach.

Compromise via AitM (Source – ESET)

It’s been suspected that the collaboration of MoustachedBouncer with Belarusian ISPs for a legal intercept system is completely similar to Russia’s SORM, executed by a 2016 mandate requiring telecom providers’ compatibility.

The HTML page fetches JavaScript from http://updates.microsoft[.]com/jdrop.js, scheduling function ‘jdrop’ after one second, which displays a modal with a ‘Get updates’ button.

jdrop function (Source – ESET)

Moreover, the MoustachedBouncer uses two implant families in parallel but deploys only one on a machine like:-

  • Disco likely used with AitM
  • NightClub for VPN-protected victims outside Belarus

Apart from this, NightClub has two primary capabilities, and here below we have mentioned them:-

  • Monitoring files
  • Exfiltrating data via SMTP (email)

All these key factors confirm that MoustachedBouncer is a skilled threat actor and actively targets the diplomats in Belarus by employing advanced techniques for C&C communication.

Advanced techniques that are observed:-

  • For ISP-level interception it used Disco
  • For emails, it used NightClub
  • For DNS, it used the NightClub plugin

ESET started investigating in Feb 2022, finding a cyberattack on a European embassy. Analyzing the malware revealed a track dating to 2014, showcasing the group’s stealth in targeting diplomats.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...