Foreign embassies in Belarus have been targeted by a cyberespionage group that appears to leverage adversary-in-the-middle (AitM) techniques through internet service providers (ISPs) in the country, according to a new report from ESET.
Dubbed MoustachedBouncer, the threat actor has been around since at least 2014 and it has apparently started using AimT attacks in 2020. The group is believed to be operating on behalf of the Belarusian government.
ESET is aware of attacks against the Belarusian embassies of four countries: two in Europe, one in Africa, and one in South Asia.
The security company’s researchers have identified several pieces of malware used by the cyberspies, including ones named NightClub, Disco, and SharpDisco. The malware and their plugins enable the attackers to monitor files and exfiltrate data from compromised systems, including files, screenshots and audio recordings.
At least some of these malware families are believed to have been delivered using AitM attacks at the ISP level, with the traffic of targeted IP addresses being redirected to a fake Windows update site set up to distribute malware. ESET has named two Belarusian ISPs that…
