Cybershpion group called Moustachedbouncer used Attacks “Man-in-the-Middle” (MITM) to hack the systems of foreign embassies in Belarus.
According to the ESET report published yesterday, the researchers discovered five separate campaigns conducted allegedly since 2014. Since 2020, attackers have been carrying out MITM attacks through Belarusian Internet providers.
Mainly hackers preferred two programs – “Nightclub” and “Disco”. They allow, for example, to steal data, make screenshots, and record audio.
Mitm attacks
ESET believes that hackers are breaking the infrastructure of providers or conspiring with subjects who have access to the networks of Belarusian operators.
Using “Man-in-The-Middle”, the attackers intercepted traffic from target computers and redirected requests to check the connection to fake HTML pages with Windows updates.
On the fake site using JavaScript, the “get updates” button is displayed. When pressed, a zip archive is loaded.
This file contains a malicious program in the GO language. It creates a task that is launched every minute and downloads another executable file – a malicious bootloader, supposedly from the IP address Google Cloud.
Malicious program Nightclub
Nightclub is the first malicious program that the group was operating. ESET found its samples according to information for 2014, 2017, 2020, and 2022.
Early versions could track traffic and send information by SMTP (a protocol for email transmission), as well as contact a command server. Later, the authors added a stability mechanism and a keylogger.
The latest version of Nightclub, used by hackers in 2020-2022, contains new screenshots, records of audio, keylogging, and a tunnel of the C2 reverse tunnel (server for remote control and control of malicious software).
DNS reverse tunnel implements additional commands working with files, processes, and catalogs.
The new Nightclub uses a closed RSA-2048 key for encryption of lines and