Cybercrime Group with Espionage Ambitions
The threat actor known as Ambuskade Sanctuary has been observed straddling cybercrime and cyberespionage operations since at least early 2020.
“This is a group of malicious tools that target bank customers and cryptocurrency traders in various regions, including North America and Europe,” ESET said in an analysis published Thursday. “Asylum Ambuscade also conducts espionage against government entities in Europe and Central Asia.”
Asylum Ambuscade was first documented by Proofpoint in March 2022 as a nation-state sponsored phishing campaign targeting European government entities in an effort to gain intelligence on the movement of refugees and supplies in the region.
The aim of the attackers, according to a Slovak cybersecurity firm, is to siphon confidential information and web email credentials from official government email portals.
The attack started with a spear-phishing email containing a malicious Excel spreadsheet attachment that, when opened, exploits VBA code or the Follina vulnerability (CVE-2022-30190) to download MSI packages from remote servers.
The installer, for its part, deploys a downloader written in Lua called SunSeed (or its Visual Basic Script equivalent) which, in turn, fetches AutoHotkey-based malware known as AHK Bot from remote servers.
What’s notable about Asylum Ambuscade are the cybercrimes that have claimed more than 4,500 victims worldwide since January 2022, with the majority of them located in North America, Asia, Africa, Europe, and South America.
“The target is very broad and mostly includes individuals, cryptocurrency traders, and small and medium enterprises (SMEs) across multiple verticals,” said ESET researcher Matthieu Faou.
While one aspect of the attack is designed to steal cryptocurrencies, the targeting of SMBs is likely an attempt to monetize access by selling it to other cyber criminal groups for illegal profit.
The intrusion chain followed a similar pattern of disallowing the initial intrusion vector, which required the use of a rogue Google Ad or traffic redirection system (TDS) to redirect potential victims to bogus websites that deliver JavaScript files containing malware.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The attack also used a Node.js version of the AHK Bot codenamed NODEBOT which was then used to download the plugin responsible for taking screenshots, looting passwords, gathering system information, and installing additional trojans and thieves.
Given the nearly identical attack chains across cybercrime and espionage endeavors, it’s surmised that “Asylum Ambuscade is a cybercrime group that engages in cyberespionage on the side.”
The overlap also extends to another activity cluster dubbed Screentime which is known to target companies in the US and Germany with bespoke malware designed to steal confidential information. Proofpoint tracked down the threat actor under the name TA866.
“It is very unusual to catch a cyber crime group running a specialized cyber espionage operation,” said Faou, making it somewhat rare in the threat landscape.
