The cybercrime group Asylum Ambuscade has been operating since at least 2020 and appears to belong to the borderland between cyberespionage and crimeware. While the group primarily targets bank customers and cryptocurrency traders, it has also conducted espionage operations against government entities in Europe and Central Asia.
Asylum Ambuscade was first publicized in March 2022 by Proofpoint researchers after it targeted European government staff involved in helping Ukrainian refugees, just a few weeks after the start of the Russia-Ukraine war. The attackers deployed spearphishing emails with malicious Excel spreadsheets or documents leveraging the Follina vulnerability (CVE-2022-30190).
Once the machine is deemed interesting, the attackers deploy the second stage: AHKBOT. This downloader, written in AutoHotkey, can spy on the victim’s machine and can be extended with plugins, also written in AutoHotkey. Asylum Ambuscade’s crimeware compromise chain is similar to the one described for its cyberespionage campaigns, and the group has developed SunSeed equivalents in other scripting languages such as Tcl and VBS. In March 2023, it developed an AHKBOT equivalent in Node.js, which is called NODEBOT.
The group has been mostly operating cybercrime campaigns since early 2020 and has counted more than 4,500 victims worldwide, most of them located in North America. The targeting is very wide and mostly includes individuals, cryptocurrency traders, and small and medium businesses (SMBs) in various verticals. While the goal of targeting cryptocurrency traders is quite obvious, we don’t know for sure how Asylum Ambuscade monetizes its access to SMBs.
In most crimeware campaigns run by the group, the compromise vector is not a malicious document, but a JavaScript file downloaded from a previously documented Traffic Direction System (TDS). The attackers try to entice people into clicking on these files by using filenames such as Document_12_dec-1532825.js, TeamViewer_Setup.js, or AnyDeskInstall.js.
The first-stage downloaders are dropped by an MSI package downloaded by either a malicious document or a JavaScript file. The main second-stage downloader is AHKBOT. It sends a GET request, with the User-Agent AutoHotkey, to a C&C server. The downloader can be found on disk at various locations, such as C:\ProgramData\mscoree.ahk or C:\ProgramData\adb.ahk. It downloads and interprets spy plugins, also developed in AutoHotkey.
We believe that the cyberespionage and cybercrime campaigns are operated by the same group. SunSeed and AHKBOT have been widely used for both cybercrime and cyberespionage, and the compromise chains are almost identical in all campaigns. SunSeed and AHKBOT are not very sophisticated compared to other crimeware tools for sale, and the network infrastructure is consistent across campaigns. As such, we believe that Asylum Ambuscade is a cybercrime group doing some cyberespionage on the side.
This kind of behavior is not new in the hacker community. Many cybercriminals, especially ones working for nation-states, wear multiple hats and regularly mix cybercrime and cyberespionage. For example, APT41, a Chinese-sponsored threat actor group, is known to be both a cybercrime and cyberespionage group, and it is even believed to have hacked videogame companies to generate revenue. Asylum Ambuscade’s case may not be surprising given the geopolitical tensions related to the Russia-Ukraine conflict.
In conclusion, Asylum Ambuscade is a particularly curious case of a threat actor that operates in two different worlds. Its crimeware compromise chain is similar to its cyberespionage compromise chain, and we believe that this group is conducting both types of campaigns. It will likely continue to be a threat, especially given the broad range of targets it attacks. Organizations should take care to protect themselves from these attacks by following standard cyber hygiene practices, such as keeping software up to date, using strong passwords, and training employees to recognize phishing emails and malicious attachments.