A recently discovered Advanced Persistent Threat (APT) known as MoustachedBouncer has been targeting staff members in multiple embassies located in Belarus. This APT, which is believed to be aligned with the Belarusian government, has been conducting an espionage campaign since 2017, compromising diplomats from various countries through the use of bespoke infostealer malware. The exact method of intrusion is still not confirmed, but cybersecurity researchers speculate that MoustachedBouncer may have exploited routers at the targeted embassies or intercepted communications at the Internet Service Provider (ISP) level.
During a presentation at the Black Hat cybersecurity conference, ESET senior malware researcher Matthieu Faou shared details about the MoustachedBouncer APT. Faou explained that organizations, including government agencies, should be cautious when operating in countries with less stringent privacy laws like Belarus. He advised that using a virtual private network (VPN) is crucial to protect sensitive data from being intercepted and accessed by threat actors.
The MoustachedBouncer APT has similarities to another APT group called Turla, which was previously identified by ESET. Five years ago, it was discovered that Turla inserted its data-stealing malware into a trojanized Adobe Flash installer. Experts speculated that Turla manipulated HTTP requests at the ISP level to deliver the malware to its targets. This technique is believed to be similar to what MoustachedBouncer has been utilizing.
Since 1995, the Russian government has had access to Internet and phone networks through its System for Operative Investigative Activities (SORM). Amnesty International noted that all telecommunications providers in Belarus are also compatible with this system. Amnesty International explained that the SORM system allows authorities to directly and remotely access user communications without notifying the providers. Researchers theorize that MoustachedBouncer leverages these lawful interception capabilities at the ISP level to carry out its espionage activities.
The operation of MoustachedBouncer involves redirecting targeted computers to a fake Windows Update page. Once users land on this page, they are prompted to download the malware, known as “Disco.” Disco is a modular framework capable of taking screenshots, running PowerShell scripts, and exfiltrating data from the compromised machine. However, if a target’s traffic is filtered through a VPN, MoustachedBouncer deploys a different malware called “Nightclub” which communicates with the command-and-control servers via email protocols such as SMTP and IMAP. Nightclub has additional capabilities such as file exfiltration, screenshot capture, keylogging, and audio recording. The researchers are uncertain about the delivery method used to distribute Nightclub to its targets.
MoustachedBouncer’s ability to evade detection for nearly a decade can be attributed to its limited number of targets and the sophistication of its campaign. The APT selectively chooses its victims, compromising only a few targets each year. Additionally, the technical complexity of MoustachedBouncer’s operations sets it apart from more common cyber threats.
As the threat landscape continues to evolve, organizations must prioritize cybersecurity measures, especially when operating in regions with fewer privacy regulations. Implementing VPNs and regularly updating security protocols can help protect sensitive information from being compromised by APTs like MoustachedBouncer. Increased awareness and proactive defense strategies are essential to counter the growing threat of cyber espionage.