Cybercriminal group MoustachedBouncer targets foreign diplomats in Belarus

MoustachedBouncer was previously unknown to the public

MoustachedBouncer cybercriminals targeting foreign diplomats in Belarus

MoustachedBouncer is a newly revealed cyberespionage group that has been active since 2014, specializing in espionage against foreign embassies in Belarus. Discovered and disclosed by ESET Research,[1] the group is believed to be closely aligned with Belarus's interests and uses highly advanced techniques, including email-based C&C protocols, C++ modular backdoors, and adversary-in-the-middle (AitM) attacks.

According to the findings published by ESET on Thursday, the group has used two separate toolsets named NightClub and Disco to perform its attacks. The existence of MoustachedBouncer sheds new light on state-sponsored hacking, revealing how attackers are leveraging ISP-level collaboration to achieve their espionage goals.

Background and operations

MoustachedBouncer has been operating at least since 2014, focusing exclusively on foreign embassies in Belarus. The key points of ESET's report include:

  • Active operations since 2014.
  • Likely in alignment with Belarus's interests.
  • Specialization in foreign embassy espionage.
  • Use of adversary-in-the-middle technique since 2020.
  • Possible cooperation with Winter Vivern,[2] another hacker group.

Two malware frameworks, NightClub and Disco, have been identified, both supporting additional spying plugins for screenshots, audio recording, and file stealing.

ESET's initially discovered MoustachedBouncer in February 2022, shortly following Russia's invasion of Ukraine.[3] The digital offensive targeted select diplomats within the embassy of a European nation that had intricate ties to the ongoing conflict. Matthieu Faou, behind the research paper, opting not to reveal the country's identity, elucidated that the assailant's actions were shrouded in geopolitical intricacies.

Tactics, targets, and techniques

MoustachedBouncer has targeted at least four foreign embassies in Belarus since 2014, including two European nations, one South Asian country, and another from Africa. The group seems to have been quite successful in its operations, staying under the radar while compromising high-profile targets.

The group's ability to tamper with network traffic, possibly through collaboration with Belarusian ISPs, has been a critical part of its success. By tricking the target's Windows operating system and redirecting it to fake sites, they can deliver malware effectively.

One key technique is the use of a lawful interception system similar to Russia's SORM, allowing interception and modification of traffic. This system has been known for years, and all telecom providers in Belarus must be compatible with it. Amnesty report from 2016 describes the activity as follows:[4]

The system of surveillance in Belarus has many problematic aspects. Prominent among them is the SORM system, a set of standardised technical means for interception of communications which allows the authorities direct, remote-control access to all user communications and associated data without notifying the providers.

Two malware frameworks, NightClub and Disco, were created to support various espionage activities. NightClub, built in 2014, uses SMTP and IMAP protocols for C&C communications. Disco, created in 2020, is used in parallel and offers additional functionalities.

Both malware systems are quite sophisticated, and their existence highlights the evolving nature of state-sponsored hacking groups like MoustachedBouncer.

Possible mitigation tactics

The stealthy modus operandi of MoustachedBouncer, especially its ability to remain undetected for nearly a decade, is a testimony to its skill and the evolving threats of cyberespionage. By compromising high-profile targets, the group has showcased its capability and audacity.

For foreign entities, especially embassies operating within Belarus, the revelations present a potent warning. Organizations are strongly advised to utilize end-to-end encrypted VPN tunnels for all internet traffic. This protocol would act as a primary defense against any network inspection devices and potential intercepts.

The emergence of MoustachedBouncer on the international cyberespionage stage underlines the pressing need for enhanced cybersecurity vigilance. As cyber threats become more intricate, the onus is on organizations and governments to bolster their defenses, ensuring sensitive information remains protected against a new wave of sophisticated threat actors like MoustachedBouncer.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions