The cyberespionage group known as ‘MoustachedBouncer’ has been discovered employing sophisticated adversary-in-the-middle (AiTM) attacks to infiltrate foreign embassies in Belarus, as revealed in a report by ESET.
Furthermore, this group, believed to have been active since at least 2014, has conducted five distinct campaigns using AiTM tactics at Belarusian ISPs since 2020. The attackers manipulate network traffic at the ISP level, often redirecting victims to seemingly legitimate but fake websites, particularly exploiting Windows 10 installations behind captive portals.
These attacks have utilized malware frameworks called ‘NightClub’ and ‘Disco’ to execute data theft, screenshots, audio recording, and more.
MoustachedBouncer’s AiTM attacks involve tricking targeted Windows 10 devices into believing they are behind captive portals through manipulation of network traffic at the ISP level. The group has been observed targeting the state-owned ISP Beltelecom and the largest private ISP, Unitary Enterprise AI, with a focus on IP ranges. Victims are redirected to fake Windows Update URLs, leading to the download of malicious files.
Notably, the attackers have shown significant evolution in their malware, with ‘NightClub’ and ‘Disco’ frameworks utilized since 2014 and 2020, respectively. These malware tools demonstrate sophistication through features like keylogging, DNS-tunneling backdoors, and more.
The ‘MoustachedBouncer’ group’s recent campaigns exemplify their growing audacity and effectiveness, exploiting lax security practices and utilizing AiTM attacks to compromise networks. Their tactics highlight the need for heightened cybersecurity measures, particularly among diplomats and embassy employees in Belarus.
ESET suggests the use of end-to-end encrypted VPN tunnels as a defense against these AiTM attacks, emphasizing the importance of robust cybersecurity practices in an increasingly complex threat landscape.