MoustachedBouncer, a cyberespionage group, has recently been discovered by ESET Research. The group has been active since 2014 and focuses solely on targeting foreign embassies in Belarus. Most notably, since 2020, MoustachedBouncer has been using adversary-in-the-middle (AitM) attacks at the ISP level within Belarus to compromise its targets. These attacks allow the group to redirect captive portal checks to a command-and-control (C&C) server and deliver malware plugins through SMB shares.
ESET Research has named the two toolsets used by MoustachedBouncer as NightClub and Disco. These toolsets support various spying plugins including a screenshotter, an audio recorder, and a file stealer. The group’s tactics, techniques, and procedures were also discussed by ESET Research experts on the ESET Research Podcast.
The victims targeted by MoustachedBouncer are foreign embassies in Belarus. ESET telemetry has identified four different countries whose embassy staff have been targeted, including two from Europe, one from South Asia, and one from Africa. The timeline of MoustachedBouncer activities is shown in Figure 1.
While MoustachedBouncer and another group called Winter Vivern are tracked separately, there are elements that suggest a low-confidence assessment of close collaboration between the two. Winter Vivern was discovered in 2021 and is still active. In March 2023, Winter Vivern used a known XSS vulnerability in the Zimbra mail portal to steal webmail credentials of diplomats from several European countries. MoustachedBouncer’s activity spans from 2014 to 2022, with evolving tactics, techniques, and procedures. However, their targeted vertical has remained the same.
The initial access method for MoustachedBouncer’s Disco toolset is detailed in the report. The group manipulates the victims’ internet access at the ISP level to make Windows believe it’s behind a captive portal. Windows 10 checks internet access with an HTTP request to a Microsoft Connect Test URL. If the answer is not as expected, a browser window opens to a redirect URL. For IP ranges targeted by MoustachedBouncer, the network traffic is tampered with at the ISP level, and the redirect URL leads to a fake Windows Update page. This page, displayed to potential victims upon network connection, shows critical system security updates that need to be installed.
The fake Windows Update page is not encrypted and uses an unregistered subdomain, so it does not resolve on the open internet. The adversary-in-the-middle (AitM) technique is specifically used against selected organizations, such as embassies, and cannot be reproduced from random IP addresses in Belarus. The report recommends that foreign organizations in Belarus use an end-to-end encrypted VPN tunnel for secure internet connectivity.
The malware delivery process involves the fake Windows Update page loading JavaScript code that triggers the download of a fake Windows Update installer. This installer contains a malicious executable that creates a scheduled task and fetches the executable via SMB from different IP addresses. These SMB servers are intercepted via AitM. The compromise vector and traffic interception scenario are outlined in Figure 5.
The AitM scenario employed by MoustachedBouncer is similar to those used by other threat actors like Turla and StrongPity. This initial access method requires significant access within the internet service providers (ISPs) and is typically used by threat actors within their own country. In many countries, security services are authorized to perform “lawful interception” through special devices installed on ISPs premises. In Russia, for example, a law from 2014 mandates ISPs to install devices known as SORM-3 for targeted surveillance by the Federal Security Service (FSB).
Overall, MoustachedBouncer, a cyberespionage group targeting foreign embassies in Belarus, has been operating since at least 2014. The group has recently been using adversary-in-the-middle attacks at the ISP level to compromise its targets. ESET Research has identified the group’s toolsets as NightClub and Disco, which include various spying plugins. Collaboration between MoustachedBouncer and another group called Winter Vivern is also suspected. The report highlights the compromise vector and traffic interception methods used by MoustachedBouncer and recommends secure measures for foreign organizations in Belarus.