1. Home
  2. Groups
  3. MoustachedBouncer

MoustachedBouncer

MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]

ID: G1019
Version: 1.0
Created: 25 September 2023
Last Modified: 16 April 2025
Enterprise Layer
download view
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

MoustachedBouncer has used a reverse proxy tool similar to the GitHub repository revsocks.[1]
Enterprise T1659 内容注入

MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

MoustachedBouncer has used plugins to execute PowerShell scripts.[1]
.007 命令与脚本解释器: JavaScript

MoustachedBouncer has used JavaScript to deliver malware hosted on HTML pages.[1]
Enterprise T1113 屏幕捕获

MoustachedBouncer has used plugins to take screenshots on targeted systems.[1]
Enterprise T1074 .002 数据分段: Remote Data Staging

MoustachedBouncer has used plugins to save captured screenshots to .\AActdata\ on an SMB share.[1]
Enterprise T1068 权限提升漏洞利用

MoustachedBouncer has exploited CVE-2021-1732 to execute malware components with elevated rights.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

MoustachedBouncer has used malware plugins packed with Themida.[1]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

MoustachedBouncer has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.[1]

Software

ID Name References Techniques
S1088 Disco [1] 内容注入, 应用层协议: File Transfer Protocols, 用户执行: Malicious File, 输入工具传输, 预定任务/作业: Scheduled Task
S1090 NightClub [1] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 修改注册表, 创建或修改系统进程: Windows Service, 外围设备发现, 屏幕捕获, 应用层协议: DNS, 应用层协议: Mail Protocols, 应用窗口发现, 数据分段: Local Data Staging, 数据编码: Non-Standard Encoding, 文件和目录发现, 本机API, 混淆文件或信息, 移除指标: Timestomp, 输入工具传输, 输入捕获: Keylogging, 进程发现, 通过C2信道渗出, 音频捕获
S1089 SharpDisco [1] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 应用层协议: File Transfer Protocols, 文件和目录发现, 本机API, 系统信息发现, 输入工具传输, 通过C2信道渗出, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task

References

  1. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.