In a revelation made during Black Hat USA, cybersecurity provider ESET unveiled the discovery of a novel threat actor engaged in cyber espionage campaigns targeting multiple embassies in Belarus.
The cybersecurity firm began tracking the activity of the group, dubbed MoustachedBouncer, in 2018 when it detected that cyber espionage campaigns targeted one of its clients, a European embassy in Belarus.
At that time, MoustachedBouncer had primarily been using a malware framework ESET named NightClub because it contains a C++ class called ‘nightclub.’
From a simple backdoor in 2014, NightClub evolved to a fully modular C++ implant using emails for its command-and-control (C&C) communications. Specifically, NightClub uses free email services to exfiltrate data, namely the Czech webmail service Seznam.cz and the Russian Mail.ru webmail provider. ESET believes the attackers created their own email accounts instead of compromising legitimate ones.
Since 2016, additional modules could be delivered by email to extend its spying capabilities, including audio recording, taking screenshots and logging keystrokes.
ESET researcher Matthieu Faou estimated that the group is very likely aligned with the Belarusian regime, especially since the Russian invasion of Ukraine.
“We lost track of the group in 2020, then it reappeared on our radar in February 2022, when it targeted the Belarusian embassy of a European country somehow involved with the war, just four days before the Russian invasion of Ukraine,” Faou told Infosecurity, declining to name the country.
Sophisticated Adversary-in-the-Middle Attacks
However, MoustachedBouncer’s techniques, tactics and procedures (TTPs) have evolved. In 2020, the group started using a second implant, Disco, a simple dropper written in Go and designed to exfiltrate data.
They also started conducting adversary-in-the-middle (AitM) attacks alongside implanting backdoors.
“An AITM consists in having an attacker positioned between two network devices, which can listen to the network traffic, collect information exchanged and even modify network packets and inject new packets if the communications are not encrypted,” Faou told Infosecurity.
This method can be deployed at the router level or the internet service provider (ISP) level– sometimes called a ‘lawful interception system.’ This is one of the techniques ISPs use when authoritarian regimes impose an internet shutdown.
“While the compromise of routers in order to conduct AitM on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets’ routers,” the ESET researcher explained.
Russian-Inspired Surveillance Systems
MoustachedBouncer leverages a surveillance system called SORM, which requires Belarusian ISPs to install interception devices since at least 2016 – similar to Russia’s TSPU system.
ESET believes this system has allowed MoustachedBouncer to issue HTTP redirection using a dropper developed in C#, named SharpDisco.
“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access to make Windows believe it’s behind a captive portal. For IP ranges targeted by MoustachedBouncer, network traffic is redirected to a seemingly legitimate, but fake, Windows Update page,” Faou said.
“This AitM scenario reminds us of the Turla and StrongPity threat actors, who have trojanized software installers on the fly at the ISP level.”
The primary mitigation measure is to use full tunnel virtual private networks (VPNs).
ESET believes that Disco is used in conjunction with AitM attacks, while NightClub is used for victims where traffic interception at the ISP level isn’t possible because of such as the use of an end-to-end encrypted VPNs where internet traffic is routed outside of Belarus.
At Least Five Embassies Targeted
According to the firm’s telemetry, the group targets foreign embassies in Belarus. ESET has identified at least five countries whose embassy staff have been targeted, including two from Europe, one from South Asia and one from Africa.
While ESET tracks MoustachedBouncer as an individual group, Faou said he had found elements that the group enjoys “weak links” – and may be collaborating – with another active espionage group known as Winter Vivern, which has targeted government staff of several European countries in 2023, including Poland and Ukraine.
“The TTPs and the toolsets are very different, but they use some common C&C infrastructure features,” Faou explained.
While it’s not clear what type of information MoustachedBouncer has collected so far, Faou told Infosecurity that having succeeded in deploying successful espionage campaigns for so long while staying under the radar meant that the group likely enjoys relatively extensive resources.
“The AITM attack scheme is also quite sophisticated,” he added.
“The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices. They should also use top quality, updated computer security software.”
ESET doesn’t know if the targeted embassies have entered contact with the Belarusian authorities or if the latter is aware of its research on MoustachedBouncer.