Researchers have unveiled the targeting of foreign embassies in Belarus by the cyberespionage group MoustachedBouncer since at least 2014. This group employs the adversary-in-the-middle technique, executing attacks at the ISP level within Belarus to compromise its targets. Moreover, a medium-confidence assessment suggests these hackers align with the interests of the Belarus state.
Furthermore, the group has concentrated on embassies from four countries: two from Europe, one from South Asia, and one from Africa. Notably, researchers have also detected potential collaboration between MoustachedBouncer and another active threat group known as Winter Vivern, which targeted European diplomats and was discovered in 2021.
MoustachedBouncer’s tactics involve tampering with victims’ internet access, likely at the ISP level, to make Windows systems believe they are behind a captive portal. This portal is common in public WIFI networks, requiring user authentication before internet access. Subsequently, the hackers manipulate victims’ traffic, displaying a seemingly genuine but fraudulent Windows Update URL. This fake update page prompts users to install critical security updates containing malicious executables.
These attacks leveraged two ISP networks: Unitary Enterprise A1 and Beltelecom. This implies potential vulnerabilities in the confidentiality and integrity of data from these ISPs. To counter such threats, ESET Research recommends that foreign organizations in Belarus employ an end-to-end encrypted VPN tunnel for secure internet connectivity, ideally from a trusted network and through an out-of-band channel.
Adversary-in-the-middle attacks often rely on “lawful interception” surveillance infrastructure, which is frequently utilized by security services in countries like Russia to closely monitor ISP internet traffic. This strategic approach closely mirrors the tactics employed by other threat actors such as Turla and StrongPity, who specialize in manipulating software installers at the ISP level.
Furthermore, MoustacheBouncer’s malware techniques for intercepting traffic have demonstrated a notable evolution over time. Progressing from their initial utilization of email protocols (SMTP and MAP), they have transitioned to employing a simpler dropper. This evolved strategy allows them to not only capture screenshots but also record audio and stealthily pilfer files.
Story credit
Related stories:
