ATT&CK v15 has been released! Check out the blog post or release notes for more information.

MoustachedBouncer

MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.^[1]

ID: G1019

Version: 1.0

Created: 25 September 2023

Last Modified: 26 September 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	MoustachedBouncer has used plugins to execute PowerShell scripts.^[1]
		.007	Command and Scripting Interpreter: JavaScript	MoustachedBouncer has used JavaScript to deliver malware hosted on HTML pages.^[1]
Enterprise	T1659		Content Injection	MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware.^[1]
Enterprise	T1074	.002	Data Staged: Remote Data Staging	MoustachedBouncer has used plugins to save captured screenshots to `.\AActdata\` on an SMB share.^[1]
Enterprise	T1068		Exploitation for Privilege Escalation	MoustachedBouncer has exploited CVE-2021-1732 to execute malware components with elevated rights.^[1]
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	MoustachedBouncer has used malware plugins packed with Themida.^[1]
Enterprise	T1090		Proxy	MoustachedBouncer has used a reverse proxy tool similar to the GitHub repository revsocks.^[1]
Enterprise	T1113		Screen Capture	MoustachedBouncer has used plugins to take screenshots on targeted systems.^[1]
Mobile	T1655	.001	Masquerading: Match Legitimate Name or Location	MoustachedBouncer has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.^[1]

Software

ID	Name	References	Techniques
S1088	Disco	^[1]	Application Layer Protocol: File Transfer Protocols, Content Injection, Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S1090	NightClub	^[1]	Application Layer Protocol: DNS, Application Layer Protocol: Mail Protocols, Application Window Discovery, Audio Capture, Create or Modify System Process: Windows Service, Data Encoding: Non-Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Screen Capture
S1089	SharpDisco	^[1]	Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Native API, Peripheral Device Discovery, Scheduled Task/Job: Scheduled Task, System Information Discovery

References

Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.