threat actor known as Asylum Ambuscade Since at least the beginning of 2020, we have observed behavior that spans cybercrime and cyberespionage.
“This is a crimeware group targeting banking customers and cryptocurrency traders in various regions, including North America and Europe,” ESET said in an analysis released Thursday. “Asylum Ambuscade also conducts espionage operations against government agencies in Europe and Central Asia.”
The Asylum Ambuscade was first documented by Proofpoint in March 2022 as a state-sponsored phishing campaign targeting European government agencies to obtain information on refugee and goods movements in the region. rice field.
According to a Slovak cybersecurity firm, the attackers’ goal is to siphon sensitive information and web email credentials from official government email portals.
The attack started with a spear-phishing email with a malicious Excel spreadsheet attached that, when opened, used VBA code or exploited the Follina vulnerability (CVE-2022-30190) to retrieve an MSI package from a remote server. Download.
The installer deploys a downloader written in Lua called SunSeed (or its Visual Basic Script equivalent), which in turn fetches AutoHotkey-based malware known as AHK Bot from a remote server.
Notable for the Asylum Ambuscade is the epidemic of cybercrime that has killed more than 4,500 people worldwide since January 2022, with the majority of victims in North America, Asia, Africa, Europe and South America. is located in
ESET researcher Mathieu Fau said, “The targets are very broad and mainly include individuals, cryptocurrency traders and small and medium enterprises (SMBs) in various industries.”
While one aspect of the attack is aimed at stealing cryptocurrencies, it is targeting small and medium-sized businesses that seek to monetize access by selling it to other cybercriminal groups for illicit profits. It could be an attempt.
The compromise chain follows a similar pattern, except for the initial intrusion vector. It does this by using deceptive Google Ads or Traffic Direction System (TDS) to redirect potential victims to fake websites serving malware-filled JavaScript files.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
The attack also used the Node.js version of the AHK bot, codenamed NODEBOT, to take screenshots, steal passwords, gather system information, and download plugins to install additional Trojans and stealers. used for
Given that the attack chains for cybercrime and espionage are nearly identical, we suspect that Asylum Ambuscade is a cybercriminal group behind some kind of cyberespionage.
This overlap extends to another activity cluster called Screentime, which is known to target US and German companies with bespoke malware designed to steal sensitive information. Proofpoint is tracking the attacker under his name TA866.
“It’s very unusual to catch a cybercriminal group that has a dedicated cyber espionage operation,” Fau said, adding that this is somewhat unusual in the threat world.
