MoustachedBouncer: AitM-Powered Surveillance via Belarus ISPs

An APT group conducting long-term espionage against diplomats, leveraging email-based C&C protocols, C++ modular backdoors, and adversary-in-the-middle (AitM) attacks… Sounds like the infamous Turla? Think again! We will introduce MoustachedBouncer: a group that's avoided the spotlight while displaying highly advanced capabilities that very much put the "A" in APT. MoustachedBouncer has been using AitM in Belarus to redirect potential targets during captive portal checks. Targeted diplomats are shown fake Windows Update warnings and end up compromised with a custom malware family that we have named Disco. We believe that the tampering is done at the ISP level against specific IP addresses, possibly using SORM devices installed at the country's ISPs, suggesting MoustachedBouncer has full access to the backends of several Belarusian ISPs.... By: Matthieu Faou Full Abstract and Presentation Materials: https://www.blackhat.com/us-23/briefings/schedule/#moustachedbouncer-aitm-powered-surveillance-via-belarus-isps-31833