Intrusions from Asylum Ambuscade Runs with Mixed Objectives

ESET warns of intrusions from cybercrime group "Asylum Ambuscade" running espionage campaigns against government entities located in Central Asia and Europe. In addition, espionage campaigns in 2022, targeted countries neighboring Ukraine. Asylum Ambuscade appears to be expanding its target profile as intrusions since 2020, have focused on many financial-related organizations in the North American region. ESET researchers assess the objective of the group is "to steal confidential information and webmail credentials from official government webmail portals."

Infections used from Asylum Ambuscade have incorporated both phishing emails and malicious Google Ads incorporating a Traffic Direction System (TDS) delivering a JavaScript file. The phishing emails used have carried a weaponized document taking advantage of the Follina vulnerability (CVE-2022-30190). Both the weaponized document and JavaScript file from TDS are used to drop and execute an MSI package leading to the installation of spyware like AHKBOT. A shortcut/lnk was observed to be written in the startup folder to establish persistence for the group's malware. No specific country has been attributed to the Asylum Ambuscade. The cybercrime group's objectives aren't fully known, but targeting financial and cryptocurrency organizations offers clear monetary motives. However, their espionage campaigns and aim to obtain credentials have unknown potential to fuel any monetary objectives. It's likely Asylum Ambuscade can sell compromised credentials although ESET has not identified such activity based on their telemetry.