Hacking Group Seen Mixing Cybercrime and Cyberespionage
Cyber Security Threat Summary:
Researchers suggest that a hacking collective, believed to have connections to the Belarusian government, is engaging in a fusion of illicit cyber activities involving both criminal endeavors and espionage in the digital realm. There is evidence to suggest that a hacking organization linked to the Belarusian government is blending cybercrime activities with cyberespionage. Referred to as Asylum Ambuscade, this group has been identified as "a cybercrime group that engages in some cyberespionage activities on the side" since 2020, as stated in a recent report by cybersecurity firm ESET, authored by malware researcher Matthieu Faou. ESET finds it noteworthy that a cybercrime group would also be involved in dedicated cyberespionage endeavors. In terms of cybercrime, Asylum Ambuscade primarily focuses on targeting individual banking customers, cryptocurrency traders, and small to medium-sized businesses, primarily located in North America and Europe. ESET has documented over 4,500 victims affected by their activities.
“The name of the group was coined by Proofpoint - ambuscade is an old way of saying ambush - which first publicly outed the group and its activities in the days after Russia, on Feb. 24, 2022, intensified its invasion of Ukraine. Proofpoint identified a phishing campaign targeting "European government personnel involved in managing the logistics of refugees fleeing Ukraine," which appeared to be using a legitimate email account for a member of Ukraine's armed services. The phishing campaign, it said, appeared to be the next stage of attacks detailed in an alert from Ukraine's CERT-UA computer emergency response team as well as an alert from the country's State Service of Special Communications and Information Protection, both issued on Feb. 25, 2022. "Mass phishing emails have recently been observed targeting private 'i[.]ua' and 'meta[.]ua' accounts of Ukrainian military personnel and related individuals," CERT-UA's alert said. "After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim's address book to send the phishing emails." CERT-UA attributed the attacks to UNC1151, which it said was being run by officers in Russian ally Belarus' Ministry of Defense. Proofpoint said it tracks the group as being part of TA445, while Mandiant's threat intelligence team has tied UNC1151 to information operations campaigns with the codename Ghostwriter. Secureworks says the attacks appear to tie to campaigns it tracks as Moonscape” (Databreach Today, 2023).
Security Officer Comments:
Asylum Abuscade has predominantly relied on a consistent set of tools since 2020. “Most of the groups implants are developed in scripting languages such as AutoHotkey, JavaScript, Lua, Python and VBS” as stated by ESET. To avoid detection, the group has created variations of these tools in different programming languages. Among the implants used by Asylum Ambuscade is SunSeed, a Lua script-based initial downloader along with AHK Bot, a second-stage downloader written in AHK. The latter can be enhanced with various plugins that provide additional capabilities such as keylogging, screen recording and remote shell functionality. ESET noted that SunSeed and AHK Bot are not typically sold or distributed through cybercrime platforms and are less feature-rich compared to readily available cybercrime tools. Consequently, it is possible that Asylum Ambuscade is the sole group utilizing these tools in real-word operations, although ESET cannot definitively confirm this.
Suggested Correction(s):
Asylum Ambuscade mainly targets SMBs and individuals in North America and Europe. However, the group has shown indications of expanding by conducting cyber espionage campaigns on the side against governments in Central Asia and Europe. It is unusual to find a cybercrime group involved in dedicated cyberespionage. Consequently, researchers should closely monitor activities of Asylum Ambuscade due to this noteworthy development.
IOCs:
https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/
Link(s):
https://www.databreachtoday.com/hacking-group-seen-mixing-cybercrime-cyberespionage-a-22257
https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/