A suspected Belarusian hacking group has targeted Ukraine; 'Unusual' crime cross-over. According to security researchers, a hacker gang aligned with Belarusian government interests appears to be combining cybercrime with cyberespionage.
The group, known as Asylum Ambuscade, since 2020 has been "a cybercrime group that is doing some cyberespionage on the side," said security firm Eset in a new report written by malware researcher Matthieu Faou. "It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations."
On the cybercrime front, the gang primarily targets individual banking users, cryptocurrency dealers, and small and medium-sized businesses in North America and Europe, with over 4,500 victims reported by Eset.
"While the goal of targeting cryptocurrency traders is quite obvious - stealing cryptocurrency - we don't know for sure how Asylum Ambuscade monetizes its access to SMBs," Eset said. "It is possible the group sells the access to other crimeware groups who might, for example, deploy ransomware," although it's seen no signs this is actually happening.
In terms of espionage, Eset stated that the group has primarily targeted European and Central Asian targets. Proofpoint coined the word - ambuscade is an archaic way of expressing ambush - and first publicly exposed the group and its operations in the days following Russia's intensification of its invasion of Ukraine on February 24, 2022.
Proofpoint identified a phishing campaign targeting "European government personnel involved in managing the logistics of refugees fleeing Ukraine," which appeared to be using a legitimate email account for a member of Ukraine's armed services.
The phishing campaign, it added, looked to be the next step of attacks indicated in a notice released on Feb. 25, 2022 by Ukraine's CERT-UA computer emergency response team as well as an alert made by the country's State Service of Special Communications and Information Protection.
"Mass phishing emails have recently been observed targeting private 'i.ua' and 'meta.ua' accounts of Ukrainian military personnel and related individuals," CERT-UA's alert said. "After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim's address book to send the phishing emails."
The attacks were ascribed to UNC1151, which was operated by officers from Russia's ally Belarus' Ministry of Defence, according to CERT-UA. Proofpoint has identified the organisation as part of TA445, while Mandiant's threat intelligence team has linked UNC1151 to information operations initiatives codenamed Ghostwriter. According to Secureworks, the attacks appear to be linked to Moonscape activities.
In November 2021, Google's Mandiant revealed that UNC1151 looked to be run by Belarus. It stated that the group's operations were primarily focused on
Ukraine, Lithuania, Latvia, Poland, and Germany, "the targeting also includes Belarusian dissidents, media entities, and journalists." Mandiant added that it could not "rule out Russian contributions to either UNC1151 or Ghostwriter," but said it had "not uncovered direct evidence of such contributions."
According to security analysts, Asylum Ambuscade has primarily maintained to employ the same set of tools since at least 2020. "Most of the group's implants are developed in script languages such as AutoHotkey, JavaScript, Lua, Python and VBS," Eset says. The group has also created variants of those programmes written in other languages, most likely to escape detection by security software.
SunSeed, a first-stage downloader written in Lua script, and AHK Bot, a second-stage downloader written in AutoHotkey - aka AHK - to which various plug-ins adding additional functionality - such as keylogging, screen-recording, and remote-shell capabilities - can be pushed.
According to Eset, SunSeed and AHK Bot do not appear to be sold or disseminated through cybercrime sites and are less functional than off-the-shelf cybercrime products. As a result, Asylum Ambuscade may be the sole group using these tools in the field, however Eset has stated that it cannot confirm this with certainty.
AHK Bot has also been used in other assaults, including as a 2019 campaign that targeted government personnel in charge of financial laws, as documented by Check Point and Trend Micro. Asylum Ambuscade could have carried out the attacks.
Trend Micro disclosed how AHK Bot was utilised in a credential-stealing effort targeting customers of US and Canadian institutions in December 2022. The attacks started with a malicious Microsoft Excel file that contained "an AHK script compiler executable," which produced AHK Bot.
Proofpoint reported in March on a continuous effort that has used AHK Bot as well as the off-the-shelf Rhadamanthys Stealer since October 2022, which "appears to be financially motivated, largely targeting organisations in the United States and Germany," though spying may also be an aim.
For the time being, Proofpoint attributes the attacks to a new attacker known as TA866, but warns that "the possibility of the tools being used by more than one actor cannot be completely ruled out."
