Asylum Ambuscade: crimeware or cyberespionage?

MITRE Techniques

• [T1583.003] Acquire Infrastructure: Virtual Private Server – Asylum Ambuscade rented VPS servers. ‘Asylum Ambuscade rented VPS servers.’
• [T1587.001] Develop Capabilities: Malware – Asylum Ambuscade develops custom implants in various scripting languages. ‘Asylum Ambuscade develops custom implants in various scripting languages.’
• [T1189] Drive-by Compromise – Targets were redirected via a TDS to a website delivering a malicious JavaScript file. ‘Targets were redirected via a TDS to a website delivering a malicious JavaScript file.’
• [T1566.001] Phishing: Spearphishing Attachment – Targets receive malicious Excel or Word documents. ‘Targets receive malicious Excel or Word documents.’
• [T1059.005] Command and Scripting Interpreter: Visual Basic – Asylum Ambuscade has a downloader in VBS. ‘Downloader in VBS.’
• [T1059.006] Command and Scripting Interpreter: Python – Asylum Ambuscade has a screenshotter in Python. ‘screenshotter in Python.’
• [T1059.007] Command and Scripting Interpreter: JavaScript – Asylum Ambuscade has a downloader in JavaScript (NODEBOT). ‘downloader in JavaScript (NODEBOT).’
• [T1059] Command and Scripting Interpreter – Asylum Ambuscade has downloaders in other scripting languages such as Lua, AutoHotkey, or Tcl. ‘downloaders in other scripting languages such as Lua, AutoHotkey, or Tcl.’
• [T1204.002] User Execution: Malicious File – Targets needs to manually execute the malicious document or JavaScript file. ‘Targets needs to manually execute the malicious document or JavaScript file.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – SunSeed persists via a LNK file in the startup folder. ‘SunSeed persists via a LNK file in the startup folder.’
• [T1027.010] Obfuscated Files or Information: Command Obfuscation – Downloaded JavaScript files are obfuscated with junk code. ‘Downloaded JavaScript files are obfuscated with junk code.’
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – AHKBOT passwords plugin can steal browser credentials. ‘AHKBOT passwords plugin can steal browser credentials.’
• [T1087.002] Account Discovery: Domain Account – AHKBOT domain plugin gathers information using net group. ‘AHKBOT domain plugin gathers information using net group.’
• [T1010] Application Window Discovery – AHKBOT wndlist plugin lists the active windows. ‘wndlist plugin lists the active windows.’
• [T1482] Domain Trust Discovery – AHKBOT domain plugin gathers information using nltest. ‘nltest.’
• [T1057] Process Discovery – AHKBOT tasklist plugin lists the active processes. ‘tasklist plugin lists the active processes.’
• [T1518.001] Software Discovery: Security Software Discovery – AHKBOT hardware plugin lists security software. ‘security software discovery.’
• [T1082] System Information Discovery – AHKBOT wndlist plugin gets system information using systeminfo. ‘systeminfo.’
• [T1016] System Network Configuration Discovery – AHKBOT wndlist plugin gets network configuration information using ipconfig /all. ‘ipconfig /all.’
• [T1056.001] Input Capture: Keylogging – AHKBOT keylogon records keystrokes. ‘keylogon records keystrokes.’
• [T1115] Clipboard Data – AHKBOT keylogon monitors the clipboard. ‘Clipboard data.’
• [T1113] Screen Capture – AHKBOT deskscreen takes screenshot. ‘deskscreen takes screenshot.’
• [T1071.001] Application Layer Protocol: Web Protocols – AHKBOT and downloaders communicate with C2 server via HTTP. ‘communicates with the C&C server via HTTP.’
• [T1041] Exfiltration Over C2 Channel – Data is exfiltrated via the C&C channel. ‘Data is exfiltrated via the C&C channel.’