NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[1]

ID: S1090
Platforms: Windows
Version: 1.0
Created: 27 September 2023
Last Modified: 27 September 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

NightClub can use emails for C2 communications.[1]

.004 Application Layer Protocol: DNS

NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.[1]

Enterprise T1010 Application Window Discovery

NightClub can use GetForegroundWindow to enumerate the active window.[1]

Enterprise T1123 Audio Capture

NightClub can load a module to leverage the LAME encoder and mciSendStringW to control and capture audio.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

NightClub has created a Windows service named WmdmPmSp to establish persistence.[1]

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

NightClub has used a non-standard encoding in DNS tunneling removing any = from the result of base64 encoding, and replacing / characters with -s and + characters with -p.[1]

Enterprise T1005 Data from Local System

NightClub can use a file monitor to steal specific files from targeted systems.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

NightClub has copied captured files and keystrokes to the %TEMP% directory of compromised hosts.[1]

Enterprise T1041 Exfiltration Over C2 Channel

NightClub can use SMTP and DNS for file exfiltration and C2.[1]

Enterprise T1083 File and Directory Discovery

NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.[1]

Enterprise T1070 .006 Indicator Removal: Timestomp

NightClub can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll.[1]

Enterprise T1105 Ingress Tool Transfer

NightClub can load multiple additional plugins on an infected host.[1]

Enterprise T1056 .001 Input Capture: Keylogging

NightClub can use a plugin for keylogging.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

NightClub has created a service named WmdmPmSp to spoof a Windows Media service.[1]

.005 Masquerading: Match Legitimate Name or Location

NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.[1]

Enterprise T1112 Modify Registry

NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.[1]

Enterprise T1106 Native API

NightClub can use multiple native APIs including GetKeyState, GetForegroundWindow, GetWindowThreadProcessId, and GetKeyboardLayout.[1]

Enterprise T1027 Obfuscated Files or Information

NightClub can obfuscate strings using the congruential generator (LCG): staten+1 = (690069 × staten + 1) mod 232.[1]

Enterprise T1120 Peripheral Device Discovery

NightClub has the ability to monitor removable drives.[1]

Enterprise T1057 Process Discovery

NightClub has the ability to use GetWindowThreadProcessId to identify the process behind a specified window.[1]

Enterprise T1113 Screen Capture

NightClub can load a module to call CreateCompatibleDC and GdipSaveImageToStream for screen capture.[1]

Groups That Use This Software

ID Name References
G1019 MoustachedBouncer