Cyberespionage group MoustachedBouncer, which has been active since 2014, is suspected to have carried out adversary-in-the-middle (AitM) attacks using an ISP-level interception system called “SORM” and two specialized toolsets since 2020. The group, believed to have backing from Belarus, primarily targets foreign diplomats from various countries.
Researchers at ESET, a cybersecurity firm, recently discovered that MoustachedBouncer has been conducting these attacks for nearly a decade. The group’s main targets are embassies in Belarus, with personnel from European, South Asian, and African countries being affected. The tactics, techniques, and procedures (TTPs) employed by the group have evolved over time, but the AitM attacks have remained consistent.
MoustachedBouncer leverages its ISP-level interception capabilities to redirect victims within targeted IP ranges to deceptive Windows Update URLs. Victims are then presented with fake Windows Update pages containing urgent security alerts. These pages prompt users to click on a button labeled “Get updates,” which triggers the download of malicious files through executed JavaScript.
The AitM technique employed by MoustachedBouncer is similar to tactics used by other cyberespionage groups, such as Turla and StrongPity, who trojanize installers at the ISP level. The collaboration between MoustachedBouncer and Belarusian ISPs for legal intercept systems is reminiscent of Russia’s SORM, which was mandated in 2016 and required telecom providers’ compliance.
ESET’s investigation into the group began in February 2022 after a cyberattack on a European embassy. Analysis of the malware used in the attack revealed a trail dating back to 2014, highlighting MoustachedBouncer’s expertise in targeting diplomats with stealth.
The tools used by MoustachedBouncer include Disco, which is likely employed for AitM attacks, and NightClub, which is used for VPN-protected victims located outside of Belarus. NightClub has two primary capabilities: file monitoring and data exfiltration via SMTP (email). The group also uses the NightClub plugin for DNS-related activities.
These advanced techniques demonstrate that MoustachedBouncer is a highly skilled threat actor that actively targets diplomats in Belarus using sophisticated methods for command and control (C&C) communication.
The ongoing activities of MoustachedBouncer highlight the importance of maintaining awareness of the latest cybersecurity threats. Stay informed by following Cyber Security News on GoogleNews, Linkedin, Twitter, and Facebook.