Crimeware Group Asylum Ambuscade Ventures Into Cyber-Espionage

Written by

Asylum Ambuscade, a crimeware group, has been observed changing tactics and moving to cyber espionage.

The group, initially exposed by researchers from Proofpoint in March 2022, has been targeting European government personnel involved in assisting Ukrainian refugees shortly after the onset of the Russia–Ukraine conflict.

Now, cybersecurity researchers at ESET have published a new, in-depth analysis of Asylum Ambuscade, suggesting the group has been active since at least 2020.

“We found previous compromises of government officials and employees of state-owned companies in Central Asia countries and Armenia,” wrote ESET malware researcher Matthieu Faou.

The group employs various script languages such as AutoHotkey, JavaScript, Lua, Python and VBS to develop their implants and carry out their operations. 

Their cyber-espionage campaigns primarily involve spear-phishing emails containing malicious attachments to steal confidential information and webmail credentials from government officials.

Read more on spear phishing: New APT Dark Pink Hits Asia-Pacific, Europe With Spear Phishing Tactics

In addition to their cyber-espionage activities, Asylum Ambuscade has been running extensive cybercrime campaigns since early 2020. Their targets have exceeded 4500 victims worldwide, primarily in North America but also spanning Asia, Africa, Europe and South America.

While the motives behind targeting cryptocurrency traders are apparent, the exact monetization methods for their access to SMBs remain unclear. ESET speculated that they might sell this access to other cybercrime groups, possibly for deploying ransomware attacks, though no concrete evidence has been found thus far.

Notably, the compromise chains and the tools used by Asylum Ambuscade show remarkable similarities across their cyber-espionage and cybercrime campaigns. This indicates that the group is likely the same entity engaging in both activities.

“It is quite unusual to catch a cybercrime group running dedicated cyber-espionage operations, and as such, we believe that researchers should keep close track of Asylum Ambuscade activities,” concluded Faou.

The ESET advisory follows the publication of a joint advisory by US and South Korean security agencies warning about North Korea’s use of social engineering tactics, including spear phishing, in cyber-attacks.

What’s hot on Infosecurity Magazine?