ESET Research deconstructs Asylum Ambuscade: group focused on cybercrime, cyberespionage and attacking countries bordering Ukraine
Created: 2023-06-12 03:24:44
- Asylum Ambuscade has been operating since at least 2020.
- It is a crimeware group that targets individuals, small and medium businesses, bank customers, and cryptocurrency traders in various regions, including North America and Europe.
- Asylum Ambuscade also performs espionage against government entities in Europe and Central Asia: in 2022, the group reportedly targeted government officials in several European countries bordering Ukraine.
BRATISLAVA, MONTREAL — June 8, 2023 — Today, ESET Research released its analysis of Asylum Ambuscade, a cybercrime group that has been performing cyberespionage operations on the side. The group has been running cyberespionage campaigns since at least 2020. ESET found previous compromises of government officials and employees of state-owned companies in Central Asian countries and Armenia. In 2022 the group reportedly targeted government officials in several European countries bordering Ukraine. ESET Research assesses that the goal of the attackers was to steal confidential information and webmail credentials from official government webmail portals. Asylum Ambuscade usually targets small- and medium-sized businesses (SMBs) and individuals in North America and Europe.
“It appears Asylum Ambuscade is branching out, running some recent cyberespionage campaigns on the side, against governments in Central Asia and Europe from time to time. It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that researchers should keep close track of its activities,” explains ESET researcher Matthieu Faou, who investigated the activities of the group.
In 2022, when the group targeted government officials in several European countries bordering Ukraine, the compromise chain started with a spearphishing email containing a malicious Excel spreadsheet or Word document attachment. If the machine was deemed interesting, the attackers eventually deployed AHKBOT, a downloader that can be extended with plugins to spy on the victim’s machine. These plugins provide various capabilities, including taking screenshots, recording keystrokes, stealing passwords from web browsers, downloading files and executing an infostealer.
Even though the group entered the spotlight because of its cyberespionage operations, it has mostly run cybercrime campaigns since early 2020. Since January 2022, ESET Research has counted more than 4,500 victims worldwide. While most of these are located in North America, it should be noted that we have also seen victims in Asia, Africa, Europe and South America. Targeting is very wide and mainly includes individuals, cryptocurrency traders, bank customers, and SMBs in various verticals.
“Asylum Ambuscade’s crimeware compromise chain is, overall, very similar to the one we see for their cyberespionage campaigns. The main difference is the compromise vector, which could be a malicious Google Ad redirecting to a website delivering a malicious JavaScript file or multiple HTTP redirections,” adds Faou.
For more technical information about Asylum Ambuscade, check out the blogpost “Asylum Ambuscade - A curious case of a threat actor at the border between crimeware and cyberespionage” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
Geographical distribution of victims since January 2022.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.