Hacking Group Seen Mixing Cybercrime and Cyberespionage
Suspected Belarusian Hacking Group Has Targeted Ukraine; Crime Crossover 'Unusual'A hacking group that security researchers say aligns with Belarusian government interests appears to be mixing cybercrime with cyberespionage.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
The group, known as Asylum Ambuscade, since 2020 has been "a cybercrime group that is doing some cyberespionage on the side," said security firm Eset in a new report written by malware researcher Matthieu Faou. "It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations."
On the cybercrime front, the group largely targets individual banking customers, cryptocurrency traders and small and midsize businesses, largely in North America and Europe, and Eset counts more than 4,500 victims.
"While the goal of targeting cryptocurrency traders is quite obvious - stealing cryptocurrency - we don't know for sure how Asylum Ambuscade monetizes its access to SMBs," Eset said. "It is possible the group sells the access to other crimeware groups who might, for example, deploy ransomware," although it's seen no signs this is actually happening.
For espionage, Eset said the group has focused largely on European and Central Asian targets.
The name of the group was coined by Proofpoint - ambuscade is an old way of saying ambush - which first publicly outed the group and its activities in the days after Russia, on Feb. 24, 2022, intensified its invasion of Ukraine.
Proofpoint identified a phishing campaign targeting "European government personnel involved in managing the logistics of refugees fleeing Ukraine," which appeared to be using a legitimate email account for a member of Ukraine's armed services.
The phishing campaign, it said, appeared to be the next stage of attacks detailed in an alert from Ukraine's CERT-UA computer emergency response team as well as an alert from the country's State Service of Special Communications and Information Protection, both issued on Feb. 25, 2022.
"Mass phishing emails have recently been observed targeting private 'i.ua' and 'meta.ua' accounts of Ukrainian military personnel and related individuals," CERT-UA's alert said. "After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim's address book to send the phishing emails."
CERT-UA attributed the attacks to UNC1151, which it said was being run by officers in Russian ally Belarus' Ministry of Defense. Proofpoint said it tracks the group as being part of TA445, while Mandiant's threat intelligence team has tied UNC1151 to information operations campaigns with the codename Ghostwriter. Secureworks says the attacks appear to tie to campaigns it tracks as Moonscape.
Google's Mandiant in November 2021 reported that UNC1151 appeared to be run by Belarus. It said the group's activities largely focused on Ukraine, Lithuania, Latvia, Poland and Germany and that "the targeting also includes Belarusian dissidents, media entities, and journalists." Mandiant added that it could not "rule out Russian contributions to either UNC1151 or Ghostwriter," but said it had "not uncovered direct evidence of such contributions."
Bespoke Tooling?
Security researchers say that since at least 2020, Asylum Ambuscade has largely continued to use the same set of tools. "Most of the group's implants are developed in script languages such as AutoHotkey, JavaScript, Lua, Python and VBS," Eset says. The group has also developed variants of those tools written in other languages, likely to try and avoid their being detected by security tools.
Implants include SunSeed, a first-stage downloader written using Lua script, as well as AHK Bot, a second-stage downloader written in AutoHotkey - aka AHK - to which various plug-ins adding additional functionality - including keylogging, screen-recording and remote-shell capabilities - can be pushed.
SunSeed and AHK Bot don't appear to be sold or distributed via cybercrime sites and are less functional than off-the-shelf cybercrime tools, Eset said. As a result, Asylum Ambuscade may be the only group using these tools in the wild, although Eset said it can't confirm that with absolute certainty.
AHK Bot has been used in other attacks, including a campaign in 2019 that targeted government officials with oversight of financial regulations, which was described by Check Point and Trend Micro. Thus those attacks could have been carried out by Asylum Ambuscade.
In December 2022, Trend Micro detailed how AHK Bot was being used in a credential-stealing campaign targeting customers of U.S. and Canadian banks. The attacks began with a malicious Microsoft Excel file, which contained "an AHK script compiler executable," which generated AHK Bot.
In March, Proofpoint reported on a continuing campaign that since October 2022 has used AHK Bot, as well as the off-the-shelf Rhadamanthys Stealer, which "appears to be financially motivated, largely targeting organizations in the United States and Germany," although espionage might also be a goal.
At least for now, Proofpoint is attributing the attacks to a new attacker with the codename TA866, and it cautions that "the possibility of the tools being used by more than one actor cannot be completely ruled out."