NightClub

NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.^[1]

ID: S1090

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 27 September 2023

Last Modified: 27 September 2023

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	NightClub can use a file monitor to steal specific files from targeted systems.^[1]
Enterprise	T1036	.004	伪装: Masquerade Task or Service	NightClub has created a service named `WmdmPmSp` to spoof a Windows Media service.^[1]
		.005	伪装: Match Legitimate Name or Location	NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.^[1]
Enterprise	T1112		修改注册表	NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.^[1]
Enterprise	T1543	.003	创建或修改系统进程: Windows Service	NightClub has created a Windows service named `WmdmPmSp` to establish persistence.^[1]
Enterprise	T1120		外围设备发现	NightClub has the ability to monitor removable drives.^[1]
Enterprise	T1113		屏幕捕获	NightClub can load a module to call `CreateCompatibleDC` and `GdipSaveImageToStream` for screen capture.^[1]
Enterprise	T1071	.003	应用层协议: Mail Protocols	NightClub can use emails for C2 communications.^[1]
		.004	应用层协议: DNS	NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.^[1]
Enterprise	T1010		应用窗口发现	NightClub can use `GetForegroundWindow` to enumerate the active window.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	NightClub has copied captured files and keystrokes to the `%TEMP%` directory of compromised hosts.^[1]
Enterprise	T1132	.002	数据编码: Non-Standard Encoding	NightClub has used a non-standard encoding in DNS tunneling removing any `=` from the result of base64 encoding, and replacing `/` characters with `-s` and `+` characters with `-p`.^[1]
Enterprise	T1083		文件和目录发现	NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.^[1]
Enterprise	T1106		本机API	NightClub can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`.^[1]
Enterprise	T1027		混淆文件或信息	NightClub can obfuscate strings using the congruential generator `(LCG): staten+1 = (690069 × staten + 1) mod 232`.^[1]
Enterprise	T1070	.006	移除指标: Timestomp	NightClub can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll.^[1]
Enterprise	T1105		输入工具传输	NightClub can load multiple additional plugins on an infected host.^[1]
Enterprise	T1056	.001	输入捕获: Keylogging	NightClub can use a plugin for keylogging.^[1]
Enterprise	T1057		进程发现	NightClub has the ability to use `GetWindowThreadProcessId` to identify the process behind a specified window.^[1]
Enterprise	T1041		通过C2信道渗出	NightClub can use SMTP and DNS for file exfiltration and C2.^[1]
Enterprise	T1123		音频捕获	NightClub can load a module to leverage the LAME encoder and `mciSendStringW` to control and capture audio.^[1]

Groups That Use This Software

ID	Name	References
G1019	MoustachedBouncer	^[1]

References

Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.

NightClub

Enterprise Layer

Techniques Used

Groups That Use This Software

References