BLACK HAT USA – Las Vegas – Thursday, Aug. 10 — A Belarus-linked APT spied on staff in at least four embassies operating in the country, likely by leveraging the country’s local Internet service provider (ISP).
In a Thursday presentation at Black Hat, ESET senior malware researcher Matthieu Faou will describe an espionage campaign by “MoustachedBouncer,” a previously unknown yet nearly decade-old APT aligned with the interests of the government of Belarus. From 2017 to 2022, using bespoke infostealer malware, the group successfully compromised diplomats from one southeast Asian country, one African country, and two European countries.
The exact method of intrusion isn’t yet proven. MoustachedBouncer may have infected routers at the individual embassies, but ESET assessed that it more likely took advantage of lawful communications interception technology known to be used by the governments of Belarus and Russia at the ISP level.
“In most Western countries there are privacy laws, but when you go to countries like Belarus, you should really be careful,” Faou advises for organizations of all kinds, not only government agencies. “You should not let traffic go outside of your computer without a VPN.”
MoustachedBouncer Used ISPs to Spy on Diplomats
Five years ago, ESET described an espionage campaign in which the Russian APT Turla sewed its data-stealing malware inside of a trojanized Adobe Flash installer. The precise method of getting that malware to its targets wasn’t entirely clear, but the researchers speculated that the group might have been manipulating HTTP requests at the ISP level.
This, they believe, is the same level at which MoustachedBouncer is operating.
Since 1995, the Russian government has been able to spy on Internet and phone networks through its System for Operative Investigative Activities (SORM). According to Amnesty International, all telecommunications providers in Belarus are SORM-compatible, as well. “The SORM system allows the authorities direct, remote-control access to all user communications and associated data without notifying the provider,” the nonprofit explained in a 2021 report.
Therefore, the researchers wrote, “while the compromise of routers in order to conduct AitM [attacks in the middle] on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets’ routers.”
MoustachedBouncer’s Decade Underground
Whether it used ISP or router compromise, MoustachedBouncer directed targeted computers to a fake Windows Update page. “It’s quite efficient, because this fake Windows page comes up as soon as they start the computer. They have nothing to do except download the malware,” Faou tells Dark Reading.
The malware, “Disco,” is a modular framework capable of taking screenshots, running PowerShell scripts, and exfiltrating data from the targeted machine.
This method didn’t work for targets that filtered their traffic through VPNs, however. In those cases, MoustachedBouncer deployed “Nightclub,” another modular malware with the ability to monitor and exfiltrate files, as well as take screenshots, log keystrokes, and record audio. The entirety of its command-and-control communications occurs over email, via the SMTP and IMAP protocols. It’s unclear how Nightclub was delivered to targets.
Disco was created in accordance with the embassy attacks, but Nightclub was first built in 2014 (and iterated on three times since). Exactly how the group flew under the radar for nearly a decade comes down to a couple of factors, Faou says.
“First, they’re not compromising many victims — we only see a few targets per year,” he points out.
“And on a technical level,” he adds, “I’d say it’s a quite sophisticated campaign. It’s not something that we’re seeing very often.”