A hitherto undocumented threat actor operating for nearly a decade and codenamed MoustachedBouncer has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus.

“Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets,” ESET security researcher Matthieu Faou said, describing the group as skilled and advanced.

The adversary, active since at least 2014, is assessed to be aligned with Belarusian interests, likely employing a lawful interception system such as SORM to conduct its AitM attacks as well as deploy disparate tools called NightClub and Disco.

Both the Windows malware frameworks support additional spying plugins including a screenshotter, an audio recorder, and a file stealer. The oldest sample of NightClub dates back to November 19, 2014, when it was uploaded to VirusTotal from Ukraine.

Embassy staff from four different countries have been targeted since June 2017: two from Europe, one from South Asia, and one from Northeast Africa. One of the European diplomats was compromised twice in November 2020 and July 2022. The names of the countries were not revealed.

MoustachedBouncer is also believed to work closely with another advanced persistent threat (APT) actor known as Winter Vivern (aka TA473 or UAC-0114), which has a track record of striking government officials in Europe and the U.S.

The exact initial infection vector used to deliver NightClub is presently unknown. The distribution of Disco, on the other hand, is accomplished by means of an AitM attack.

“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal,” Faou said. “For IP ranges targeted by MoustachedBouncer, the network traffic is tampered at the ISP level, and the latter URL redirects to a seemingly legitimate, but fake, Windows Update URL.”

“While the compromise of routers in order to conduct AitM on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets’ routers,” Fou said.

Two Belarusian internet service providers (ISPs), viz Unitary Enterprise A1 and Beltelecom, are suspected to be involved in the campaign, per the Slovak cybersecurity company.

Victims who land on the bogus page are greeted with a message urging them to install critical security updates by clicking on a button. In doing so, a rogue Go-based “Windows Update” installer is downloaded to the machine that, when executed, sets up a scheduled task to run another downloader binary responsible for fetching additional plugins.

The add-ons expand on Disco’s functionality by capturing screenshots every 15 seconds, executing PowerShell scripts, and setting up a reverse proxy.

A significant aspect of the plugins is the use of the Server Message Block (SMB) protocol for data exfiltration to command-and-control servers that are inaccessible over the internet, making the threat actor’s infrastructure highly resilient.

Also used in the January 2020 attack aimed at diplomats of a Northeast African country in Belarus is a C# dropper referred to as SharpDisco, which facilitates the deployment of two plugins by means of a reverse shell in order to enumerate connected drives and exfiltrate files.

The NightClub framework also comprises a dropper that, in turn, launches an orchestrator component to harvest files of interest and transmit them over the Simple Mail Transfer Protocol (SMTP). Subsequent iterations of NightClub unearthed in 2017 and 2020 also incorporate a keylogger, audio recorder, screenshotter, and a DNS-tunneling backdoor.

“The DNS-tunneling backdoor (ParametersParserer.dll) uses a custom protocol to send and receive data from a malicious DNS server,” Faou explained. “The plugin adds the data to exfiltrate as part of the subdomain name of the domain that is used in the DNS request.”

The commands supported by the modular implant allow the threat actor to search for files matching a specific pattern, read, copy, and remove files, write to files, copy directories, and create arbitrary processes.

It’s believed that NightClub is used in scenarios where traffic interception at the ISP level isn’t possible because of anonymity-boosting mitigations such as the use of an end-to-end encrypted VPN where internet traffic is routed outside of Belarus.

“The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices,” Faou said.