NightClub

NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.^[1]

ID: S1090

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 27 September 2023

Last Modified: 27 September 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.003	Application Layer Protocol: Mail Protocols	NightClub can use emails for C2 communications.^[1]
		.004	Application Layer Protocol: DNS	NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.^[1]
Enterprise	T1010		Application Window Discovery	NightClub can use `GetForegroundWindow` to enumerate the active window.^[1]
Enterprise	T1123		Audio Capture	NightClub can load a module to leverage the LAME encoder and `mciSendStringW` to control and capture audio.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	NightClub has created a Windows service named `WmdmPmSp` to establish persistence.^[1]
Enterprise	T1132	.002	Data Encoding: Non-Standard Encoding	NightClub has used a non-standard encoding in DNS tunneling removing any `=` from the result of base64 encoding, and replacing `/` characters with `-s` and `+` characters with `-p`.^[1]
Enterprise	T1005		Data from Local System	NightClub can use a file monitor to steal specific files from targeted systems.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	NightClub has copied captured files and keystrokes to the `%TEMP%` directory of compromised hosts.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	NightClub can use SMTP and DNS for file exfiltration and C2.^[1]
Enterprise	T1083		File and Directory Discovery	NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.^[1]
Enterprise	T1070	.006	Indicator Removal: Timestomp	NightClub can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll.^[1]
Enterprise	T1105		Ingress Tool Transfer	NightClub can load multiple additional plugins on an infected host.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	NightClub can use a plugin for keylogging.^[1]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	NightClub has created a service named `WmdmPmSp` to spoof a Windows Media service.^[1]
		.005	Masquerading: Match Legitimate Name or Location	NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.^[1]
Enterprise	T1112		Modify Registry	NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.^[1]
Enterprise	T1106		Native API	NightClub can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`.^[1]
Enterprise	T1027		Obfuscated Files or Information	NightClub can obfuscate strings using the congruential generator `(LCG): staten+1 = (690069 × staten + 1) mod 232`.^[1]
Enterprise	T1120		Peripheral Device Discovery	NightClub has the ability to monitor removable drives.^[1]
Enterprise	T1057		Process Discovery	NightClub has the ability to use `GetWindowThreadProcessId` to identify the process behind a specified window.^[1]
Enterprise	T1113		Screen Capture	NightClub can load a module to call `CreateCompatibleDC` and `GdipSaveImageToStream` for screen capture.^[1]

Groups That Use This Software

ID	Name	References
G1019	MoustachedBouncer	^[1]

References

Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.

NightClub

Enterprise Layer

Techniques Used

Groups That Use This Software

References