NightClub Malware Linked to MoustachedBouncer Threat Actor

The malware known as NightClub possesses spyware and data theft capabilities. This malicious program exists in at least four versions, with the earliest variant dating back to 2014.

The NightClub malware is employed by a threat actor named MoustachedBouncer. This group has been active for almost ten years and predominantly targets foreign embassies in Belarus. Notable targets include embassies from four countries: two in Europe and one each in Africa and South Asia. In addition to NightClub, this threat actor also utilizes another set of tools referred to as Disco.

The original version of NightClub focuses on two primary functions: monitoring files and extracting data. This malware sends pilfered content to its Command and Control (C&C) server via email. Earlier iterations were limited to downloading files of formats like Microsoft Word (.doc, .docx), Microsoft Excel (.xls, .xlsx), and PDF (.pdf) documents.

However, versions released since 2016 possess the capability to fetch extra malicious modules from their C&C server. While in theory, malware with the ability to infiltrate additional content into infected devices could result in various forms of infection, in practice, this software tends to operate within certain constraints.

NightClub attacks initiated since 2020 introduce a backdoor module, as well as modules for keylogging (capturing typed data), taking screenshots, and recording audio through integrated or attached microphones.

The backdoor module has the ability to execute diverse commands, including (but not limited to): creating processes, copying and relocating directories, and reading, moving, and erasing files.

It's important to note that malware developers often enhance their software and methodologies over time. Furthermore, NightClub's activities are linked to political and geopolitical attacks. These factors suggest that potential upcoming NightClub campaigns may introduce different or additional functionalities and features.

How Are Infostealers Usually Distributed Online?

Infostealers, also known as information stealers or data stealers, are a type of malware designed to infiltrate a victim's device, collect sensitive information, and send it to malicious actors. These malware strains aim to harvest valuable data such as login credentials, financial information, personal details, and more. Infostealers can be distributed through various online methods:

Malicious Email Attachments: Infostealers often spread through phishing emails that contain infected attachments. These attachments might be disguised as documents (e.g., PDFs, Word files), spreadsheets, or executable files. Once the victim opens the attachment, the malware is executed, and the device becomes compromised.

Malicious Links in Emails: Phishing emails might also include links to malicious websites. Clicking on these links can lead to drive-by downloads, where the malware is automatically downloaded and executed without the user's knowledge.

Malvertising: Infostealers can be delivered through malicious advertisements (malvertising) displayed on legitimate websites. These ads might lead users to websites that host exploit kits capable of delivering the malware to vulnerable devices.

Compromised or Fake Websites: Cybercriminals might create fake websites or compromise legitimate ones to host malicious software. Users who visit these sites could unknowingly download and install infostealers.

Freeware and Cracked Software: Cybercriminals may bundle infostealers with cracked software or pirated content. When users download and install these files, they inadvertently install the malware.

Drive-by Downloads: Drive-by downloads occur when visiting a compromised or malicious website triggers the automatic download and installation of the malware onto the user's device.

Malicious File Sharing Networks: Infostealers can be distributed through file sharing networks, especially those hosting pirated software or content. Users who download and run these files might unknowingly execute the malware.