Posted on June 9, 2023 at 3:26 AM

Asylum Ambuscade Hacking Group Observed Launching Attacks Against SMBs Globally

A threat actor group known as ‘Asylum Ambuscade’ has been observed conducting a series of attacks targeting small to medium-sized companies globally. This group has been using cybercrime and cyber espionage to run its hacking campaigns.

Asylum Ambuscade combines cybercrime and espionage

The threat actor group in question is believed to have commenced its operations since at least 2020. The group was first identified by Proofpoint in a report that was published on March 2022. The report in question looked into a phishing campaign being conducted by the threat actor group. The campaign targeted entities that supported the Ukrainian refugees’ movement.

ESET researchers have now released a new report about this hacking group. The group has exposed more details about the operations that were conducted by cyber criminals in 2022. The ESET report also looked into the updates on the company’s toolset and victimology.

Hacking exploits by Asylum Ambuscade

Asylum Ambuscade is a threat actor group that usually launches hacking attacks through spear-phishing emails. Such emails are usually sent to targets, and they contain malicious document links. These links contain a malicious VBS code. The threat actor was also found to be exploiting a vulnerability tracked as CVE-2022-30190, or Folina, after June 2022.

The exploit being conducted by this threat actor group triggers the download of an MSI installer. This installer will deploy the Sunseed malware of the threat actor group. It will also launch a Lua-based downloader that will also generate an LNK file within the Windows Startup folder. The threat actor launches persistence attacks against the targets.

The Sunseed malware used in this campaign obtains the subsequent-stage payload known as Akhbot. The payload will be installed from the command-and-control server, and it will continue to reach out to the server to obtain and execute another Lua code.

The Asylum Ambuscade hacking group also maintains a vast target base. The hacking group has continued to launch attacks against targets in 2022. Some of its targets include bank customers, cryptocurrency traders, government entities, and small and medium-sized businesses situated across Central Asia, Europe, and North America.

The vast reach of this threat actor group across different industries illustrates that it has the potential to cause significant harm. The researchers at ESET have said that the current infection chain seen in the recent exploits conducted by the group had continued to follow a similar pattern as what was seen during the 2022 operations.

However, ESET security analysts have now detected new compromise vectors. These vectors include malicious Google Ads that redirect the users to sites that are running a malicious JavaScript code.

The threat actor group has also started the process of deploying a new tool known as Nodebot. The tool in question was deployed in March 2023, and it appears to be the Node.js port of the Akhbot payload.

Once the malware has been successfully launched on the target device, it will complete multiple functions. The malware can capture screenshots and exfiltrate user passwords from different browsers such as Internet Explorer, Firefox, and Chromium-based browsers. The browser can also fetch more AutoHotkey plugins onto the device that has been targeted by the hackers.

The plugins that are installed by the malware come with specific functionality. The plugins can download a VMProtect-packed Cobalt Strike loader. They can also be used to install Chrome to accommodate the operations of the hVNC.

The other roles that the plugin plays include starting a keylogger and deploying the Rhadamanthys infostealer. The plugins can also launch a commercially available RAT while conducting a variety of other malicious activities. The nature of these attacks demonstrates that the threat actors are notorious for their activities, and they have the potential to cause massive havoc.

The researchers at ESET have said that it started tracking this threat actor group in January 2022, it has claimed 4,500 victims. The number shows that the hacker group has been claiming around 265 victims each month, which made it one of the most prolific threat actor groups. The threat actor group also posed a threat to organizations globally.

Some of the activity of these hackers, such as targeting cryptocurrency traders and bank accounts, shows financial motivation. However, targeting small and medium-sized businesses shows cyber espionage.

The threat actor group might also be selling network access of the targeted companies to ransomware groups to make a profit. However, the ESET researchers noted there was no evidence that the group was selling the collected data to other cybercriminals, making the intention of the hackers unclear.