Verticals Targeted: Government, Cryptocurrency, Financial
Key Takeaways
Who is Asylum Ambuscade?
Asylum Ambuscade is a criminal threat actor group observed conducting espionage operations on the side. They have been operational since at least 2020. ESET recently reported on the group’s activities.
Targeting
ESET noted Proofpoint originally exposed Asylum Ambuscade back in early 2022. At the time, the group was conducting a phishing campaign to target European government officials. Regarding their cybercrime activity, Asylum Ambuscade has a reputation for targeting bank customers and cryptocurrency traders, as well as small and medium businesses (SMB). Targets have included entities in North America and Europe. As for their cyber espionage activity, the group seems to primarily target government entities in Europe and Central Asia, with a few targets in other regions such as Africa and South America. The group has attacked over 4500 victims worldwide to date.
TTPs
Asylum Ambuscade uses a variety of tools, including implants written in AutoHotkey, JavaScript, Lua, Python, and VBS. In the past, the group leveraged the Follina vulnerability (CVE-2022-30190).
Asylum Ambuscade’s attack chain used for espionage activity typically begins with a spearphishing email containing a malicious Excel file. The Excel spreadsheet contains malicious VBA code that, in turn, downloads an MSI package from a remote server. It then installs SunSeed, which is a Lua-based downloader. If the victim machine meets the group’s criteria for interest, they next deploy AHKBOT, which is written in AutoHotkey and is extensible with plugins. AHKBOT is used to spy on the victim's machine.
The group’s attack chain used for cybercrime activity differs slightly from the one used for espionage. The main difference is the threat actors use one of two different initial infection vectors. One is a malicious Google Ad that redirects to a website that delivers a malicious JavaScript file, and the other is a redirection chain that involves multiple HTTP redirections in a Traffic Direction System (TDS). When cybercrime is the goal, the group typically uses a different variant of SunSeed written in Tcl or VBS. In place of AHKBOT, the group uses a Node.js equivalent dubbed NODEBOT.
IOCs
PolySwarm has multiple samples associated with this activity.
7DB446B95D5198330B2B25E4BA6429C57942CFC9
5F67279C195F5E8A35A24CBEA76E25BAD6AB6E8E
519E388182DE055902C656B2D95CCF265A96CEAB
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f AsylumAmbuscade
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports