ESET believes that MoustachedBouncer uses a “lawful interception system” to conduct its AitM operations
ESET Research Discovers MoustachedBouncer: Cyberespionage Group Targeting Diplomats in Belarus. Active since 2014, it aligns with local government interests and focuses on foreign embassies, including European ones. Using AitM attacks since 2020, MoustachedBouncer compromises targets via ISP-level tampering. Employing toolsets NightClub and Disco, findings were presented at Black Hat USA 2023 by ESET’s Matthieu Faou.
This adversary-in-the-middle technique occurs only against a few selected organizations, perhaps just embassies, not countrywide.ESET researcher Matthieu Faou
According to ESET telemetry, the group targets foreign embassies in Belarus, and ESET has identified four countries whose embassy staff have been targeted: two from Europe, one from South Asia, and one from Africa. ESET assesses that MoustachedBouncer is very likely aligned with Belarus interests and specializes in espionage, specifically against foreign embassies in Belarus. MoustachedBouncer uses advanced techniques for Command and Control (C&C) communications, including network interception at the ISP level for the Disco implant, emails for the NightClub implant, and DNS in one of the NightClub plugins.
While ESET Research tracks MoustachedBouncer as a separate group, we have found elements that make ESET assess with low confidence that it is collaborating with another active espionage group, Winter Vivern, which has targeted government staff of several European countries, including Poland and Ukraine, in 2023.
To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal. For IP ranges targeted by MoustachedBouncer, network traffic is redirected to a seemingly legitimate, but fake, Windows Update page,” said, ESET researcher Matthieu Faou, who discovered the new threat group. “This adversary-in-the-middle technique occurs only against a few selected organizations, perhaps just embassies, not countrywide. The AitM scenario reminds us of the Turla and StrongPity threat actors, who have trojanized software installers on the fly at the ISP level.”
Since 2014, the malware families used by MoustachedBouncer have evolved, and a big change happened in 2020, when the group started to use adversary-in-the-middle attacks. MoustachedBouncer operates the two implant families in parallel, but on a given machine, only one is deployed at a time. ESET believes that Disco is used in conjunction with AitM attacks, while NightClub is used for victims where traffic interception at the ISP level isn’t possible because of a mitigation such as the use of an end-to-end encrypted VPN where internet traffic is routed outside of Belarus.
“The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices. They should also use top-quality, updated computer security software,” advises Faou.