HQ/EMEAFind out how we can help your business
A cybercriminal group called Asylum Ambuscade has an ongoing campaign that targets small to average-sized firms worldwide. The group uses a campaign that has a mix of cybercrime and cyberespionage.
This group has been operating since 2020 and has remained active since 2022, focusing more of its attacks on phishing campaigns targeting Ukrainian refugees. However, the group shifted its operation to other targets while employing its standard attack process.
This cybercriminal threat group commonly deploys its attacks with spear-phishing emails directed at its targets. These emails contain compromised document attachments that could run malicious VBS code that leverages the Follina exploit.
Subsequently, the exploit initiates the download of an MSI installer that launches the Asylum’s Sunseed malware that could generate an LNK file in the Windows folder for establishing persistence.
The malware could procure subsequent-stage payloads, like Akhbot, from the threat group’s C2 server and continue to ping the server to receive and run additional Lua code.
The Asylum Ambuscade group has targeted a specific set of entities this year.
The Asylum Ambuscade threat group maintains a broad targeting scope this year. The group has only targeted bank customers, crypto traders, government entities and various small to medium-sized firms in Asia, Europe, and North America.
The researchers explained that the current infection chain of the group has the same process as in its 2022 cybercriminal operations. However, a new security analysis showed that the group adopted unknown vectors, such as malicious Google ads, to redirect users to an attacker-controlled website.
Furthermore, the attackers deployed a new tool called Nodebot last March, which seems to be the port of Akhbot malware. The malware’s function remains unchanged, including password exfiltration from well-known browsers, fetching additional plugins, and capturing screenshots.
The malware could fetch plugins that could download a VMProtect-packed Cobalt Strike, install Chrome to accommodate hVNC operations, start keylogger, deploy infostealer, and launch remote access trojans.
This malicious threat group has compromised more than 4,500 since January last year. This detail indicates that the threat group has had over monthly victims a month since last year. Therefore, researchers recommend that organisations have layered security regardless of size, as this particular threat group is open to its targets.
