A hacking group tracked as ‘Asylum Ambuscade’ was observed in recent attacks targeting small to medium-sized companies worldwide, combining cyber espionage with cybercrime.
The particular threat group, believed to have been operational since at least 2020, was first identified by Proofpoint in a March 2022 report that focused on a phishing campaign against entities aiding the Ukrainian refugees’ movement.
ESET has published a new report on the actor today, disclosing more details about last year’s Asylum Ambuscade operations and highlighting updates on its victimology and toolset.
2023 campaign
Asylum Ambuscade typically launches its attacks with spear-phishing emails sent to targets, carrying malicious document attachments that run malicious VBS code, and after June 2022, an exploit for CVE-2022-30190 (Follina).
The exploit initiates the download of an MSI installer that deploys the group’s Sunseed malware, a Lua-based downloader that also generates an LNK file in the Windows Startup folder for persistence.
Sunseed procures the subsequent-stage payload, Akhbot, from the command-and-control server and continues to ping the server to receive and execute additional Lua code.
Asylum Ambuscade maintains an almost perplexingly broad targeting scope in 2023, targeting bank customers, cryptocurrency traders, government entities, and various small and medium businesses across North America, Europe, and Central Asia.
ESET explains that the current infection chain continues to follow the same structure as in the 2022 operations. However, security analysts have now noticed new compromise vectors, including malicious Google Ads that redirect users to sites running malicious JavaScript code.
Additionally, the threat actor started deploying a new tool named “Nodebot” in March 2023, which appears to be the Node.js port of Ahkbot.
The malware’s function continues to include screenshot capturing, password exfiltration from Internet Explorer, Firefox, and Chromium-based browsers, and fetching additional AutoHotkey plugins onto the breached device.
The plugins fetched by the malware feature specific functionality such as downloading a VMProtect-packed Cobalt Strike loader, installing Chrome to accommodate hVNC operations, starting a keylogger, deploying a Rhadamanthys infostealer, launching a commercially available RAT, and more.
ESET has counted 4,500 victims since it started tracking Asylum Ambuscade in January 2022, equating to roughly 265 victims/month, making this a very prolific threat actor and a severe threat to organizations worldwide.
While the threat actors clearly target cryptocurrency traders and bank accounts for profit, the compromise of SMB entities might point to cyberespionage.
The threat group may be selling network access to these companies to ransomware affiliates for profit. However, ESET has found no evidence supporting this hypothesis.
In conclusion, Asylum Ambuscade’s specific operational goals remain unclear.