simulate Moustached Bouncer: Espionage against foreign diplomats in Belarus attack in a simple way

simulate Moustached Bouncer: Espionage against foreign diplomats in Belarus attack in a simple way

???? ?????

????? ?? ???? ??? ?? APT grops ?? ?? content injection (T1659) ????? ?? ?????? ?????? ???? ???? ?? ?????? ???? ??? ?????? ? ?? endpoint ???? ??????? ??? ???? ??????? ?? ?????? ???? ??? malware ?? ???? ????? presistance ???? ??? ????? ?? ???????? ???? ??? ????? ?? ?? ???? smb protocole

??? ??? ????? ?? ????? simulation ?????? ????? ?????? ???????? ???? ????

??? ?? 2023 ??? ???? ??? ?????? ?? ???????? ?? ????????? ?? ?????? MoustachedBouncer ? ??? ?? ????? ????? ?? ?????? ??????? ???????? ?? ??? ??? ??? ???? welivesecurity ???? ?? 2014 ??? ?????? ???? ???? ?? 2020 ????? adversary-in-the-middle ???? ?????? ?????? ?? ???? ????? ??? ??????? ??? ?????? ? ???? ??? ???????? ??

????? ?? ?????? ???? ?????? ?? ???? ??????? ????? ?? ???????? ????? captive portal

???? ???? ?????? ????? ?? ??? ??????? ?? ?? ???

?????? ??? ?? ?????? ????? ???? ??????? ?? www.msftconnecttest.com ? ???? ??? ??? connecttest.txt ?? ???? ????? ?? ?????? ???? ??????? ? ?? 30 ????? ????? ??? ????? ?? ???? ?? ?????? ????? ??????? ????? ??? ??????? ????? ???? ?? ????? ??? ???? ???? ?? ???? ???? ?????? ?? ??? ?? pin ?? ?? ????? ?? ???????? ???? ???????? ?? ??????? ? ???? ???? ?????? ????? ?? login ??? ?????? MoustachedBouncer ??????? ????? ?? ???????? ?? ?? internet service provider ??? ?? ??? ?????? ??? ?????? ??????? ?? ?????? ???????? ?? ?????? ??? ? ?? ???? ??????? ?? ????? ???? ????? ?????? ???? malware ?? malware ?? ???? ??? ?? ???? smb protocole ????? ??? ?????? ??????? ?? ???? ????? ??? isp ? ???????? ?? ??????? ?? ???? ???? dns spoofing ? ???? ?? ???? ?????? ?? ??? ???? ???? ??????? ??? dns server ? ?????? ?????? ???? ?? ????? ???? ??? ???? ????? ?? ????? smuilate ?? ????? ??

????? ?? ??? ????? ?? ???? ??????? ???? ??? ?????? ??????? ???????? ?????? ???? zone information ? ???? ??? ???? ?? ???????? ???? ?????? ???? ????? Zone.Identifier ??? ?? flage ??? ????? ???????? ?????? ?? ??? ???? zone ? ?? ????? ??? ??? ???????? ??????? ???????

Zone 0: Local computer

Zone 1: Local intranet

Zone 2: Trusted sites

Zone 3: Internet (least trusted)

Zone 4: Restricted sites

???? ?? ??? ????? ?? ???? ???????? ????? ?? ????? ??? 3 ? ???? ????? ?? ??????? ?? popup ??????? ?? ????? ? ? ????? ?????? ????? ???? ???? ?? ??? ?????

??? ?? ?? ???? ????? ?????? configuration ???? ??? dhcp ips ??? ???? ???? ??? ? ?? primary dns ???? ??????? ????? ????? ??? linux ubuntu ????? ?????? ???? configuration ??? ???? ???? ??? ?????? www.msftconnecttest.com ????? ??? ? ?????? ???? ??????? ???? ??????? ?? ???? ?? linux ubuntu ? www.msftconnecttest.com ? ??????? ??????? ??????? ????? ???? ?? ????? ???? ???? connecttest.txt ????? ?? ????? ??? ?? ??????? ????? ???? redirect ????? ?? login ????? ?????? ?? ?? ????? ?? ?????? ??????? ???? ???? ?? redirect ???? ????? ????? ????? ??? ??? ???? update ???????? ? ????? ????? ?? ??? ??? ?? ????? task ???? ???? ?? notepad ?? ????? ???? ?? ????? ?? presistance ??? malware ??? ???

?? ??? ?????? ????? ?????? ???? ??? ???? ???? ??? ??????? ???? ??? ???? ???? ?????

?????? ?? ubuntu ???? ?? ???? dnsmasq

??? ???? ??????? ??????

???? ??????? ??? ?? ???? ????? ip ?? ??????? ???????? ?? dns ????? ??? ???? ?? ubuntu machine

dns configuration on the router to router ant dns query to ubuntu machine which has 192.168.0.102

????? ???? ?? ? python server ???? ?? ??? ???? ?????? ???? ???????? ?? ????? ??smulation

?????? ???? ??????? ?? ?? ??? ???? ??? ???????

??? ??????

https://www.dhirubhai.net/posts/mrwolf0_cybersecurity-redteam-cyberawareness-activity-7259342465931886593-Tw2o?utm_source=share&utm_medium=member_desktop

??? ???? ??????

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

Simulating an Adversary-in-the-Middle Attack: Lessons from the MoustachedBouncer Embassy Breach

In 2023, a cyberattack targeted several embassies in Belarus, including an African embassy, executed by the APT group MoustachedBouncer. This group, according to the cybersecurity site WeLiveSecurity, has been active since 2014, with noticeable operations emerging in 2020. Their technique, classified as "adversary-in-the-middle" (also known as content injection - T1659), allowed them to intercept and modify data between users and servers to run malware or create persistence on a target’s network.

One of the strategies they exploited was Windows Captive Portal, a feature used to detect internet access and manage login redirects. This simulation demonstrates how the attack was likely conducted.

How Does Windows Detect Online Status?

When Windows starts, it checks the URL www.msftconnecttest.com and looks for a file called connecttest.txt. If the file is found, Windows assumes it’s online. Every 30 seconds, Windows verifies this file to confirm connectivity. If the system detects a need for additional authentication (like entering a password or PIN in public Wi-Fi at cafes or hotels), it redirects users to a login page.

The MoustachedBouncer group leveraged this process by collaborating with an internet service provider (ISP) to redirect traffic from www.msftconnecttest.com to a domain they controlled. Through this manipulated connection, they could prompt users to download malware, which then executed tasks via the SMB protocol across the network.

The Role of DNS Spoofing and Content Zones

In scenarios without ISP collaboration, attackers could use DNS spoofing to redirect traffic. Windows identifies files downloaded from the internet as Zone 3 (Internet zone, least trusted) and tags them with a Zone.Identifier, alerting the user to unverified sources. This zone mechanism is key to Windows' security warnings.

Simulation Setup

For this simulation, I configured a router to assign DHCP IP addresses, with the primary DNS set to point to an Ubuntu Linux machine. I configured Ubuntu’s hostname to match www.msftconnecttest.com, so Windows detected it as the designated network test domain.

Upon connecting, Windows looked for connecttest.txt on my Ubuntu server, and as expected, it identified the network as online. From here, I simulated a login page redirect, similar to public Wi-Fi networks, prompting users to download a Windows "update" that created a persistent task running Notepad every minute—mimicking a common persistence mechanism used in malware.

The attack setup involved configuring Ubuntu with dnsmasq and running a Python server to host the simulation data.

This simulation provides a simplified glimpse into the actual attack, which was far more complex in reality. By understanding and demonstrating these techniques, we gain insights into the tactics, techniques, and procedures (TTPs) employed by threat actors in real-world cyber-espionage operations.

For more in-depth details on this attack, you can check out the original article linked here.

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/


#CyberAware #CyberThreats #InfoSec # Cybersecurity #RedTeam #CyberAwareness #ThreatIntelligence #APT

要查看或添加评论,请登录

Nasser El-Din Basha的更多文章

  • Local File Inclusion (LFI)

    Local File Inclusion (LFI)

    Hello everyone, good morning to all of you. It is my first post about web penetration testing, and I am excited to…

  • calloc vs malloc

    calloc vs malloc

    Hello everyone, good evening! During the project involving hash tables, I came across an interesting aspect that…

  • windows internal

    windows internal

    Hello, everyone. I am thrilled to discuss Windows and its internal parts again, particularly those related to security.

  • Persistence with Windows Service Controller (SC)

    Persistence with Windows Service Controller (SC)

    Good afternoon. When creating a service, once the service executes, it runs with SYSTEM privileges by default.

  • persistence attack based on BITS

    persistence attack based on BITS

    Do you know how Windows performs its updates? Good evening, everyone. Let's talk about the Background Intelligent…

  • Is recursion cause stack overflow?

    Is recursion cause stack overflow?

    hi folks we will take about recursion and how it can cause a stack overflow flow but first let's understand what is the…

社区洞察

其他会员也浏览了