Suspected Belarusian Hacking Group Has Targeted Ukraine; Crime Crossover ‘Unusual’
A hacking group that security researchers say aligns with Belarusian government interests appears to be mixing cybercrime with cyberespionage.
The group, known as Asylum Ambuscade, since 2020 has been “a cybercrime group that is doing some cyberespionage on the side,” says security firm Eset in a new report written by malware researcher Matthieu Faou. “It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations.”
On the cybercrime front, the group largely targets individual banking customers, cryptocurrency traders and small and midsize businesses, largely in North America and Europe, with Eset counting more than 4,500 victims.
“While the goal of targeting cryptocurrency traders is quite obvious – stealing cryptocurrency – we don’t know for sure how Asylum Ambuscade monetizes its access to SMBs,” Eset says. “It is possible the group sells the access to other crimeware groups who might, for example, deploy ransomware,” although it’s seen no signs this is actually happening.
For espionage, Eset says the group has focused largely on European and Central Asian targets.
The name of the group was coined by Proofpoint – ambuscade is an old way of saying ambush – which first publicly outed the group and its activities in the days after Russia on Feb. 24, 2022, intensified its invasion of Ukraine.
Proofpoint identified a phishing campaign targeting “European government personnel involved in managing the logistics of refugees fleeing Ukraine,” which appeared to be using a legitimate email account for a member of Ukraine’s armed services.
The phishing campaign, it said, appeared to be the next stage of attacks detailed in an alert from Ukraine’s CERT-UA computer emergency response team as well as an alert from the country’s State Service of Special Communications and Information Protection, both issued on Feb. 25, 2022.
“Mass phishing emails have recently been observed targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals,” CERT-UA’s alert said. “After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.”
CERT-UA attributed the attacks to UNC1151, which it said was being run by officers in Russian ally Belarus’s Ministry of Defense. Proofpoint said it tracks the group as being part of TA445, while Mandiant’s threat intelligence team has tied UNC1151 to information operations campaigns codenamed Ghostwriter. Secureworks says the attacks appear to tie to campaigns it tracks as Moonscape.
Google’s Mandiant in November 2021 reported that UNC1151 appeared to be run by Belarus, and said its activities largely focused on Ukraine, Lithuania, Latvia, Poland and Germany, and that “the targeting also includes Belarusian dissidents, media entities, and journalists.” Mandiant added that it could not “rule out Russian contributions to either UNC1151 or Ghostwriter,” but added that “we have not uncovered direct evidence of such contributions.”
Implants include SunSeed, a first-stage downloader written using Lua script, as well as AHK Bot, a second-stage downloader written in AutoHotkey – aka AHK – to which various plug-ins adding additional functionality can get pushed, including keylogging, screen-recording and remote-shell capabilities.
SunSeed and AHK Bot don’t appear to be sold or distributed via cybercrime sites, and are less functional than off-the-shelf cybercrime tools, Eset says. As a result, Asylum Ambuscade may be the only group using these tools in the wild, although it can’t confirm that with absolute certainty.
AHK Bot has been used in other attacks, including a campaign in 2019 that targeted government officials with oversight of financial regulations, which was described by Check Point and Trend Micro. Thus those attacks could have been carried out by Asylum Ambuscade.
In December 2022, Trend Micro detailed how AHK Bot was being used in a credential-stealing campaign targeting customers of U.S. and Canadian banks. The attacks began with a malicious Microsoft Excel file, which contained “an AHK script compiler executable,” which generated AHK Bot.
In March, Proofpoint reported on a continuing campaign that since October 2022 has used AHK Bot, as well as the off-the-shelf Rhadamanthys Stealer, which “appears to be financially motivated, largely targeting organizations in the United States and Germany,” although espionage might also be a goal.
At least for now, it’s attributing the attacks to a new attacker, codenamed TA866, and cautions that “the possibility of the tools being used by more than one actor cannot be completely ruled out.”