We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
MoustachedBouncer: AitM-Powered Surveillance via Belarus ISPs
Cyber espionage group MoustachedBouncer targets Belarusian diplomatic interests with stealthy attacks, compromising networks and intercepting traffic for espionage.
- MoustachedBouncer is a cyber espionage group that targets foreign diplomats in Belarus using stealthy attacks via SMB shares.
- The group uses adversarial middle attacks (AITM) to compromise their targets, intercepting traffic and modifying it to gather data.
- The group’s main motivation is spying on their targets, stealing confidential information, and using plugins such as keyloggers and file stealers.
- The group was identified to have been operating for almost 10 years, targeting foreign diplomats in Belarus without gaining much public attention until today.
- AITM attacks are used to exfiltrate files via SMB shares, and the group can access specific IP addresses in Belarus.
- The group is also using plugins such as audio recorders, screenshotters, and DNS dynamic backdoors.
- The group has been using winter-driven infected devices to spread malware and steal credentials.
- It is important to deny SMB traffic from internal to external networks to prevent incident responders from analyzing samples.
- Winter-driven is a simple PowerShell backdoor used by the group to steal web-made credentials using Zimbra vulnerabilities.
- The group is not native English speakers, which is evident from the typos and unprofessional UI in the malware.
- It is recommended to use end-to-end encrypted VPN tunnels exiting in trusted locations to prevent AITM attacks.
- An example of a configuration file (GFF45.CLG) was analyzed and found to contain a domain used for DNS query A function.
- The group has been observed using various DNS servers and mail servers to send and receive emails.
- Some interesting characteristics of the malware include the fact that the RSA private key is out-coded in the sample, and the plugins are not delivered by the server specified in the SMB path.