Jury vindicates ESET following eight-year court battle 

BRATISLAVA — September 14, 2023 — ESET has welcomed a California federal jury’s ruling in its favor, finding that the leading digital security provider has not committed patent infringement on Finjan Holdings LLC technologies.

The court case focused on a number of ESET’s products and technologies, including ThreatSense, LiveGrid and LiveGuard, which protect over a billion users worldwide. Despite Finjan’s claims that its patents were infringed upon, ESET staunchly defended its position and received favorable judgement.

The ruling draws to a close a lengthy legal dispute which started in 2015 and  encountered a mistrial in March 2020 due to the impending danger of the COVID-19 pandemic. Finjan was originally seeking tens of millions of dollars in compensation. “Describing this legal case as a battle is entirely accurate,” said Richard Marko, CEO of ESET. “We have dedicated significant resources to fighting the claims, both in terms of legal fees and internal human resources. However, when faced with spurious accusations, our company values guide us to maintain our integrity and courage — conceding was never an option, as we always believed in our evaluation that our technologies do not infringe their patents.”

Juraj Malcho, ESET’s chief technology officer, added, “Defending is in our nature. We are passionate about cybersecurity and take pride in developing the best security technologies possible. With decades of experience at our disposal, having invented and implemented numerous efficient protective layers, we have enough arguments to defend against unfounded patent infringement claims.”

• ESET Research have discovered a new backdoor, Sponsor, deployed by the Iran-aligned Ballistic Bobcat APT group. 
• Sponsor was deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates; we have named this activity the Sponsoring Access campaign.
• Ballistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims. The victims comprise diverse business verticals.
• The Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch files, and deliberately designed to appear innocuous, in an attempt to evade detection by scanning engines.

BRATISLAVA, MONTREAL — September 11, 2023 — ESET researchers have discovered a campaign by the Ballistic Bobcat group, which is using a novel backdoor that ESET has named Sponsor. Ballistic Bobcat, previously tracked by ESET Research as APT35/APT42 (also known as Charming Kitten, TA453, or PHOSPHORUS), is a suspected Iran-aligned, advanced, persistent threat group that targets education, government, and healthcare organizations, as well as human rights activists and journalists. It is most active in Israel, the Middle East, and the United States. Its aim is cyberespionage, and a significant majority of the 34 victims were located in Israel, with only two located in Brazil and the UAE. In Israel, automotive, manufacturing, engineering, financial services, media, healthcare, technology and telecommunications verticals have been attacked.

For 16 of the 34 victims of the newly discovered campaign, named Sponsoring Access, it appears that Ballistic Bobcat was not the only threat actor with access to their systems. This may indicate, along with the wide variety of victims and the apparent lack of obvious intelligence value of a few victims, that Ballistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims.

Thus, Ballistic Bobcat continues to look for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. “The group continues to use a diverse, open-source toolset supplemented with several custom applications, including the newly discovered Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations,” says ESET researcher Adam Burgher, who discovered the Sponsor backdoor and analyzed the latest Ballistic Bobcat campaign.

The Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch files, and deliberately designed to appear innocuous, in an attempt to evade detection by scanning engines. Ballistic Bobcat deployed the new backdoor in September 2021, while it was wrapping up the campaign documented in CISA Alert AA21-321A and the PowerLess campaign.

During the pandemic, Ballistic Bobcat was targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, and medical research personnel.

For more technical information about Ballistic Bobcat and its Sponsoring Access campaign, check out the blogpost, “Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor,” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Geographical distribution of entities targeted by Ballistic Bobcat with the Sponsor backdoor

Organizations have increasingly become targets of hacking that result in massive data breaches, calling to attention both the increasing importance of proper cybersecurity software, but also an overall change in security strategy.

According to a recent report, the average cost of a data breach globally in 2022 reached a sum of $4.35 million, up from the previous year. In the United States alone, the average cost is as high as $9.44 million – a staggering number, with businesses increasing prices to accommodate for the resulting costs.

While mitigating cyber threats is challenging, having a sound security strategy to tackle threats is key. Among some of the strategies employed is data loss prevention (DLP), which should be a part of any company’s data protection repertoire.

What is data loss prevention, and how does it work?

DLP is designed to prevent accidental or intentional losses of data. The idea basically is to protect confidential data and information to prevent fraudulent access, both within a company and outside it.

Some of the ways DLP works and helps data protection is by classifying types of data into various categories, identifying security violations, and automating certain processes, so that data management becomes easier to handle. Flagging data into categories based on confidentiality or access level is just one-way DLP helps, as access management is important in mitigating potential loss in the form of unwanted leaks, for example.

For DLP to work, it can be done in-house by an internal IT team, but it can also be outsourced, depending on where the priorities of a business lie. With the sheer number of endpoint devices a company usually manages, it makes sense to use outside help to properly secure data on all of them, while letting their IT teams tackle other matters. However, just like any business, DLP companies can also be the targets of attacks.

The various types of DLP

DLP solutions are adaptable, so they can be easily configured to suit any company’s needs. Depending on this, a company can pick from different DLP types, as each one has its own strengths and weaknesses.

For example, endpoint DLP focuses on securing data on all company endpoints. It involves the implementation of user monitoring and other security policies to prevent data loss allowing for visibility into data usage on devices.

However, since data is not only stored or moves only through endpoint devices, there is also network DLP, which takes care of monitoring data in use across an organization’s network. It can easily identify and prevent unauthorized movement of data by leveraging its power to see how various forms of data move on the network, like who accessed what and when, which is very useful when looking for anomalous behavior.

Also worth mentioning is a different subsection of network DLP. While organizations are increasingly moving to adopt cloud services, protecting data stored on them is important. Hence why cloud DLP helps protect data stored by businesses on cloud repositories. Sometimes a business enables access to its cloud storage to partners, for example, in which case cloud DLP is very useful to ward off potential data security failures.

These three previously mentioned types of DLP solutions can also work together to provide comprehensive protection across different stages of data in motion – at rest, at motion, and in use. Implementing all three types can help organizations prevent data loss and maintain a proper data security posture.

Compliance – the added benefit of DLP

A company should have DLP for several reasons, including compliance with regulations, as many industries are subject to strict data protection and privacy regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS) among others.

Specifically, since GDPR involves stringent measures on respecting user privacy and data, DLP gives the right amount of protection to shield companies from potential issues stemming from data breaches, for example.

ESET and Data Loss Prevention

ESET, as part of its technology alliance, has a trusted partner in Safetica, offering data loss prevention services with Safetica ONE and Safetica NXT, to prevent data leakage, guide staff on data protection, and to stay compliant with regulations.

While ESET protects you by offering award-winning endpoint security and detection and response solutions through the ESET PROTECT Platform, Safetica’s products add another layer of protection, protecting data both inside and outside a company, being tough on insider threats and data loss in an era of hybrid work, during which endpoints and data can move all around the world.

To sum it up, having a well-functioning DLP toolset can help any organization in exercising proper data control. It is an enormously important component of any comprehensive data security strategy in today’s world of ever-evolving threats.

• ESET Research has discovered trojanized Signal and Telegram apps for Android, named Signal Plus Messenger and FlyGram, on Google Play and Samsung Galaxy Store; both apps were later removed from Google Play.
• Signal Plus Messenger represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device.
• The malicious code found in these apps is attributed to the BadBazaar malware family, which has been used in the past by a China-aligned APT group called GREF.
• Thousands of users downloaded the spy apps. ESET telemetry reported detections on Android devices in several EU countries, the United States, Ukraine, and other places worldwide.
• BadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities. FlyGram malware was also seen shared in an Uyghur Telegram group, which aligns with previous targeting by the BadBazaar malware family.

BRATISLAVA, KOŠICE — August 30, 2023 — ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications — the malicious apps are FlyGram and Signal Plus Messenger. The threat actors achieved the functionalities in the fake Signal and Telegram apps by patching the open-source Signal and Telegram apps for Android with malicious code. Signal Plus Messenger is the first documented case of spying on a victim’s Signal communications; thousands of users downloaded the spy apps. ESET telemetry reported detections on Android devices in several EU countries, the United States, Ukraine, and other places worldwide. Both apps were later removed from Google Play.

“Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which provide victims a working app experience but with espionage happening in the background,” says ESET researcher Lukáš Štefanko, who made the discovery. “BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” he adds.

ESET telemetry reports detections from Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United States, and Yemen. Furthermore, a link to FlyGram in the Google Play store was also shared in a Uyghur Telegram group. Apps by the BadBazaar malware family previously have been used against Uyghurs and other Turkic ethnic minorities outside of China.

As a Google App Defense Alliance partner, ESET identified the most recent version of the Signal Plus Messenger as malicious and promptly shared its findings with Google. Following our alert, the app was removed from the Store. Both apps were created by the same developer and share the same malicious features, and the app descriptions on both stores refer to the same developer website.

After initial app start, the user has to log into Signal Plus Messenger via legitimate Signal functionality, just like they would with the official Signal app for Android. Once logged in, Signal Plus Messenger starts to communicate with its command and control (C&C) server. Signal Plus Messenger can spy on Signal messages by misusing the “link device” feature. It does this by automatically connecting the compromised device to the attacker’s Signal device. This method of spying is unique: ESET researchers haven’t seen this functionality being misused before by other malware, and this is the only method by which the attacker can obtain the content of Signal messages. ESET Research has informed Signal’s developers about this loophole.

With regard to the fake Telegram app, FlyGram, the victim has to log in via their legitimate Telegram functionality, as required by the official Telegram app. Before the login is complete, FlyGram starts to communicate with the C&C server and BadBazaar gains the ability to exfiltrate sensitive information from the device. FlyGram can access Telegram backups if the user has enabled a specific feature added by the attackers; the feature was activated by at least 13,953 user accounts. The attacker’s proxy server may be able to log some metadata, but it cannot decrypt the actual data and messages exchanged within Telegram itself. Unlike the Signal Plus Messenger, FlyGram lacks the ability to link a Telegram account to the attacker or intercept the encrypted communications of its victims.

For more technical information about the latest campaigns by GREF, concerning BadBazaar and the trojanized espionage apps, check out the blogpost “BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

• Spacecolon is a small toolset used to deploy variants of Scarab ransomware to victims all over the world, and ESET Research believes it is of Turkish origin.
• Spacecolon’s operators, named CosmicBeetle by ESET, have no clear targeting, with highest detections in European countries, Turkey, and Mexico.
• Spacecolon can serve as a remote access trojan with the ability to extract sensitive information and/or deploy Scarab ransomware.
• CosmicBeetle probably compromises web servers vulnerable to the ZeroLogon or those with RDP credentials that it is able to brute force.
• CosmicBeetle appears to be preparing the distribution of new ransomware that we have named ScRansom.

BRATISLAVA, PRAGUE — August 22, 2023 — ESET Research has released its analysis of Spacecolon, a small toolset used to deploy variants of Scarab ransomware to victims all over the world. It likely penetrates victim organizations through operators compromising vulnerable web servers or via brute forcing RDP credentials. Several Spacecolon builds contain many Turkish strings; therefore, ESET believes it is written by a Turkish-speaking developer. ESET was able to track the origins of Spacecolon back to at least May 2020, and its campaigns are ongoing. ESET named Spacecolon’s operators CosmicBeetle to represent the link to “space” and “scarab.”

Spacecolon incidents identified by ESET telemetry encompass the globe, with high prevalence in European Union countries, such as Spain, France, Belgium, Poland, and Hungary; elsewhere, ESET has detected high prevalence in Turkey and Mexico. CosmicBeetle appears to be preparing the distribution of new ransomware — ScRansom. Post-compromise, along with installing ransomware, Spacecolon offers a large variety of third-party tools that allow the attackers to disable security products, extract sensitive information, and gain further access.

“We have not observed any pattern to Spacecolon’s victims besides them being vulnerable to the initial access methods employed by CosmicBeetle. Neither have we found any pattern among the targets’ areas of focus or size. However, to name a few (by type and geography), we have observed Spacecolon at a hospital and tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico,” says ESET researcher Jakub Souček, author of the analysis.

CosmicBeetle probably compromises web servers vulnerable to the ZeroLogon vulnerability or those with RDP credentials that it is able to brute force. Additionally, Spacecolon can provide backdoor access for its operators. CosmicBeetle doesn’t make any considerable effort to hide its malware and leaves plenty of artifacts on compromised systems.

After CosmicBeetle compromises a vulnerable web server, it deploys ScHackTool, the main Spacecolon component that CosmicBeetle uses. It relies heavily on its GUI and active participation of its operators; it allows them to orchestrate the attack, downloading and executing additional tools to the compromised machine on demand as they see fit. If the target is deemed valuable, CosmicBeetle can deploy ScInstaller and use it, e.g., to install ScService, which provides further remote access.

The final payload CosmicBeetle deploys is a variant of the Scarab ransomware. This variant internally deploys a ClipBanker, a type of malware that monitors the content of the clipboard and changes content that it deems likely to be a cryptocurrency wallet address to an attacker-controlled address.

Furthermore, a new ransomware family is being developed, with samples being uploaded to VirusTotal from Turkey. ESET Research believes with high confidence that it is written by the same developers as Spacecolon, and ESET has named it ScRansom. ScRansom attempts to encrypt all hard, removable, and remote drives. ESET has not observed this ransomware being deployed in the wild, and it appears to still be in a development stage.

For more technical information about Spacecolon and CosmicBeetle, check out the blogpost “Scarabs colon-izing vulnerable servers” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Distribution of Spacecolon victims

Both your children’s, and your own cybersecurity, is nothing to take lightly. A lot of people opt to buy their children a smartphone before returning for a new school year. Understandably so. You want to be able to reach your kids, know when they´re getting home, where they are. A great way to do that is by using parental control.

But that is not the only protection your child´s and device needs. In the ever-so-changing threat landscape, mobile device protection should be one of the top priorities for both kids and adults. After getting a new phone, installing a security solution should be the first thing to do. And when getting your child a phone, teaching them how to stay safe and secure is a must.

A few digital security tips to follow and teach your kids:

• Use a strong passphrase
• Do not click on unknown attachments and links
• Keep your device up-to-date
• Do not share personal information online
• Back up your data regularly
• Do not leave your mobile phone unattended and unlocked

The most necessary Back to School supply? 

A simple answer; digital security solutions. One that is easy to use, deploy and which covers most of your security needs. Our phones are powerful tools, one that can easily turn into a an issue if not secured properly. Keeping it safe is key to ensuring a smooth and safe Back to School period.

A great way to start is with ESET Mobile Security on your Android mobile devices. It’s a solution that ensures protection against a multitude of mobile threats while also securing users’ data.

ESET Mobile Security aims to provide a safe environment by leveraging its various security features, including: 

• Anti-Phishing- integrates with the most common web browsers (Chrome and many others) and protects you from most common phishing attempts
• Anti-Smishing – protects you from SMS and App notifications containing malicious links
• Antivirus – protection against malware: intercepts threats and cleans them from your device
• Payment protection – lets you shop and bank safely online
• App lock – requires extra authentication to access sensitive apps; protects content when you’re sharing a device
• Anti-Theft – a powerful feature to help protect your phone and find it if it goes missing
• Network inspector – scans your network and all connected devices to identify security gaps
• Call filter – blocks calls from specified numbers, contacts and unknown numbers
• Adware detector – identifies and removes apps that display ads unexpectedly
• Real-time scanning – scans all files and apps for malware
• Scheduled scans – checks your device every time you charge it, or whenever you want
• Security audit – checks an app’s permissions
• Security report – provides an overview of how secure your device is
• USB on-the-go scanner – checks any connected USB device for threats
• Up to 5 devices – pay once, protect 5 devices associated with the same Google account

ESET Mobile Security makes your Android phones and devices easy to find and harder to steal, and it helps to protect your valuable data.

If you want to protect your phone with ESET Mobile Security, you’re in luck! From August 21 to September 3, the premium version of ESET Mobile Security will be 50% off. No need for a promotional code; the discount will automatically be added to your checkout! It couldn’t be easier.

One-stop security supply shop
Deepening you digital security and developing knowledge about it is just as important these days as helping children navigate dealing with strangers. Educate yourself on the common security threats on WeLiveSecurity, an award-winning cybersecurity blog. Talk to your kids and guide them through wonders and pitfalls of the online world. Make sure they feel safe and welcome when coming to you with any and all issues.

Happy Back to School!

To better educate yourself and your children, visit saferkidsonline.eset.com.

BRATISLAVA, SAN DIEGO— August 22, 2023 — ESET, a global leader in cybersecurity, is proud to announce that the company has won a 2023 SC Award in the Excellence Award category for Best Customer Service.  The SC Awards program is cybersecurity’s most prestigious and competitive program, recognizing the solutions, organizations, and people driving innovation and success in information security. This award recognizes ESET for delivering best-in-class customer support and services and exceeding expectations to ensure that organizations are protected against threats launched by today’s savvy cybercriminals. 

“SC Awards are recognized worldwide by the cybersecurity community, and we are honored to take home the Best Customer Service award this year,” said Brent McCarty, President of ESET North America. “This award speaks to both the transformation already underway and continued investment in our customer service organization, which has expanded with the vision of providing high-touch, localized customer support across time zones, channels, and languages. We understand that it is our job to provide peace of mind to our customers as their cybersecurity partner, and this award speaks to the commitment and outstanding work being done by our teams locally and around the world.”

“This year’s SC Award winners reflected our industry in flux,” said Tom Spring, SC Media’s editorial director at CyberRisk Alliance. “Winners demonstrated uncanny market agility and brought innovative solutions to help their customers stay ahead of increasingly sophisticated adversaries and emerging threats. The innovative strategies and technologies demonstrated by all our SC Award participants truly encapsulated the remarkable innovation within the cybersecurity industry this year.”

ESET’s Global Support has continued to look for new ways to differentiate and expand its offerings in response to an increasingly complex cybersecurity threat landscape and to help customers to adopt robust cybersecurity postures. The company was recognized based on a range of services, including:

• Commitment to local and easily accessible customer support when and where customers need it. The company has 162 worldwide partners who help provide customer service in the time zones and languages required. For example, in the United States, business customers talk to ESET’s local customer service team in San Diego, California.
• Multi-channel support that aligns with customer preferences. ESET provides business customers with complimentary support via phone, email, and live chat. ESET also maintains an online support forum where customers can engage with company experts on trending topics and emerging product issues.
• Comprehensive documentation, including Knowledgebase articles, FAQ documents within ESET Security Forum, and video tutorials that focus on deployment and maintenance, user scenarios, and troubleshooting. Additionally, online user guides are available for every product and provide installation, configuration, and feature overviews for the ESET product. This is bolstered by localized language resources for ESET’s international markets, including French-speaking Canada, Spanish, German, Japan, and more (i.e. 21 languages are available for ESET Protect Cloud, and up to 35 languages are available for Endpoint Antivirus for Windows).
• Advanced Professional Services in ESET Services Hub, including ESET PROTECT MDR (Managed Detection and Response), Premium Support, and Security Services.
• Broader awareness and educational resources, including a robust Cybersecurity Awareness Training program for employees to address the human element of cybersecurity, and public resources like WeLiveSecurity, one of the top corporate cybersecurity blogs in the world – available in five languages with written and video content.

“The cybersecurity market continues to mature – with companies looking for enterprise-grade cybersecurity solutions backed by premium managed services,” said McCarty. “Our commitment to best-in-class support sets ESET apart in a fiercely competitive landscape. With ESET PROTECT MDR, organizations can reap the full benefits of Extended Detection & Response (XDR) without having to build an in-house team of digital security experts or add additional resources to their existing team. This allows for advanced capabilities, like triage and investigation, file analysis, incident response, digital forensics, threat monitoring, and even proactive periodic threat hunting – backed by ESET expertise and support teams.”

Now in its 26th year, the 2023 SC Awards are highly coveted and draw a continued record of entries each year. The Excellence Awards included 15 categories and opened participation to cybersecurity startups, investors, and financial partners. Hundreds of entries for the Excellence Awards were judged by a world-class panel of independent industry leaders from sectors including healthcare, financial services, manufacturing, consulting, and education.  Winners are featured on SC Media’s website, with a week of editorial coverage that celebrates the innovative technologies and solutions that support the ongoing efforts of the cybersecurity community.

View ESET coverage and the full list of winners here.

• ESET researchers have uncovered a mass-spreading phishing campaign aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing.
• Targets include a variety of small and medium businesses and governmental entities.
• According to ESET telemetry, the largest number of targets are located in Poland; other European and Latin American countries were also hit.
• The campaign observed by ESET relies only on social engineering and user interaction.

BRATISLAVA — August 17, 2023 — ESET researchers have uncovered a mass-spreading phishing campaign aimed at collecting Zimbra account users’ credentials. The campaign has been active since at least April 2023 and is still ongoing. Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. The campaign’s targets are a variety of small and medium businesses and governmental entities. According to ESET telemetry, the largest number of targets are located in Poland; however, victims in other European countries such as Ukraine, Italy, France and the Netherlands are also targeted. Latin American nations were hit too; Ecuador tops the list of detections in that region.

Despite this campaign not being particularly technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration.  “Adversaries leverage the fact that HTML attachments contain legitimate code, with the only telltale element being a link pointing to the malicious host. In this manner, it is much easier to circumvent reputation-based antispam policies, especially compared to more prevalent phishing techniques, where a malicious link is directly placed in the email body,” explains ESET researcher Viktor Šperka, who discovered the campaign.

“Target organizations vary; adversaries do not focus on any specific vertical – the only thing connecting victims is that they are using Zimbra,” adds Šperka. The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries.

Initially, the target receives an email with a phishing page in the attached HTML file. The email warns the target about an email server update, account deactivation or similar issue and directs the user to click on the attached file. After opening the attachment, the user is presented with a fake Zimbra login page customized according to the targeted organization. In the background, the submitted credentials are collected from the HTML form and sent to a server controlled by the adversary. Then, the attacker is potentially able to infiltrate the affected email account. It is likely that the attackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then used to send phishing emails to other targets. The campaign observed by ESET relies only on social engineering and user interaction; however, this may not always be the case.

For more technical information about campaign against Zimbra, check out the blogpost “Mass-spreading campaign targeting Zimbra users” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Countries hit by the campaign, according to ESET telemetry

• MoustachedBouncer is a threat group, recently discovered by ESET researchers, which specializes in the espionage of foreign embassies, including European ones, in Belarus. It is very likely aligned with Belarus interests.
• The group has been operating since at least 2014 and has used the adversary-in-the-middle (AitM) technique since 2020 to redirect captive portal checks to a Command and Control (C&C) server and deliver spyware.
• ESET believes that MoustachedBouncer uses a “lawful interception system” to conduct its AitM operations.
• Since 2014, the group has been operating a malware framework that we have named NightClub. It uses email protocols for C&C communications. Since 2020, the group has been using, in parallel, a second malware framework that we have named Disco.
• NightClub and Disco support additional spying plugins, including a screenshotter, an audio recorder, and a file stealer.

BRATISLAVA, MONTREAL, LAS VEGAS — August 10, 2023 — ESET Research has discovered a new cyberespionage group, MoustachedBouncer. It is named after its presence in Belarus and is aligned with the interests of the local government. Active since at least 2014, the group targets only foreign embassies, including European ones, in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that ESET has named NightClub and Disco. The research was exclusively presented during the Black Hat USA 2023 conference on August 10, 2023, by ESET researcher Matthieu Faou.

According to ESET telemetry, the group targets foreign embassies in Belarus, and ESET has identified four countries whose embassy staff have been targeted: two from Europe, one from South Asia, and one from Africa. ESET assesses that MoustachedBouncer is very likely aligned with Belarus interests and specializes in espionage, specifically against foreign embassies in Belarus. MoustachedBouncer uses advanced techniques for Command and Control (C&C) communications, including network interception at the ISP level for the Disco implant, emails for the NightClub implant, and DNS in one of the NightClub plugins.

While ESET Research tracks MoustachedBouncer as a separate group, we have found elements that make ESET assess with low confidence that it is collaborating with another active espionage group, Winter Vivern, which has targeted government staff of several European countries, including Poland and Ukraine, in 2023.

To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal. For IP ranges targeted by MoustachedBouncer, network traffic is redirected to a seemingly legitimate, but fake, Windows Update page,” says ESET researcher Matthieu Faou, who discovered the new threat group. “This adversary-in-the-middle technique occurs only against a few selected organizations, perhaps just embassies, not countrywide. The AitM scenario reminds us of the Turla and StrongPity threat actors, who have trojanized software installers on the fly at the ISP level.”

“While the compromise of routers in order to conduct AitM attacks on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets’ routers,” explains the ESET researcher.

Since 2014, the malware families used by MoustachedBouncer have evolved, and a big change happened in 2020, when the group started to use adversary-in-the-middle attacks. MoustachedBouncer operates the two implant families in parallel, but on a given machine, only one is deployed at a time. ESET believes that Disco is used in conjunction with AitM attacks, while NightClub is used for victims where traffic interception at the ISP level isn’t possible because of a mitigation such as the use of an end-to-end encrypted VPN where internet traffic is routed outside of Belarus.

“The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices. They should also use top-quality, updated computer security software,” advises Faou.

The NightClub implant uses free email services, namely the Czech webmail service Seznam.cz and the Russian Mail.ru webmail provider, to exfiltrate data. ESET believes the attackers created their own email accounts, instead of compromising legitimate ones.

The threat group focuses on stealing files and monitoring drives, including external ones. The capabilities of NightClub also include audio recording, taking screenshots, and logging keystrokes.

For more technical information about MoustachedBouncer, check out the blog post “MoustachedBouncer: Espionage against foreign diplomats in Belarus” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (X) for the latest news from ESET Research.

MoustachedBouncer compromise via AitM scenario