Crimeware group Asylum Ambuscade has been observed changing tactics and moving towards cyber espionage.
The group was first exposed by Proofpoint researchers in March 2022 and targeted European government officials involved in helping Ukrainian refugees in the immediate aftermath of the Russo-Ukrainian conflict.
Now, ESET cybersecurity researchers have released a new detailed analysis of Asylum Ambuscade, suggesting that the group has been active since at least 2020.
ESET malware researcher Mathieu Fau wrote, “We found previous compromises by government officials and employees of state-owned enterprises in Central Asian countries and Armenia.”
The group uses various scripting languages such as AutoHotkey, JavaScript, Lua, Python, and VBS to develop implants and perform operations.
Their cyber espionage activities mostly include spear phishing emails with malicious attachments to steal sensitive information and webmail credentials from government officials.
Spear Phishing Deep Dive: New APT Dark Pink Hits Asia Pacific and Europe with Spear Phishing Tactics
In addition to cyber espionage, Asylum Ambuscade has been conducting a large-scale cyber crime campaign since early 2020. His targets are primarily in North America, but also in Asia, Africa, Europe and South America, and he has over 4,500 victims worldwide.
While the motives for targeting cryptocurrency traders are clear, the exact monetization methods they use to access small businesses remain unclear. We speculate that ESET is selling this access to other cybercriminal groups, possibly to deploy ransomware attacks, but so far no concrete evidence has been found.
Notably, the compromise chains and tools used by Asylum Ambuscade show striking similarities across cyber espionage and cybercrime campaigns. This indicates that this group is likely the same entity involved in both activities.
“It is highly unusual to catch a cybercriminal group conducting dedicated cyber espionage operations, so we believe researchers need to closely track Asylum Ambuscade activity,” said Fau. concluded.
The ESET advisory follows the publication of a joint advisory by US and South Korean security agencies warning of North Korea’s use of social engineering tactics, including spear phishing, in cyberattacks.
