Researchers Michael Raggi and Zydeca Cass reported that ,” The email included a malicious macro attachment that used social engineering themes pertaining to the NATO Security Council Emergency Meeting held on February 23, 2022.” Proofpoint, which discovered the malicious emails for the first time on February 24, 2022, dubbed the social engineering attacks “Asylum Ambuscade.”
- Proofpoint has identified a likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.
- The email included a malicious macro attachment which attempted to download a Lua-based malware dubbed SunSeed.
- The infection chain used in this campaign bears significant similarities to a historic campaign Proofpoint observed in July 2021, making it likely the same threat actor is behind both clusters of activity.
- Proofpoint is releasing this report in an effort to balance accuracy with responsibility to disclose actionable intelligence during a time of high-tempo conflict.
One of the most notable aspects of Asylum Ambuscade is the likely use of a compromised Ukrainian armed service member’s email account to send malware-laced email messages containing a macro-enabled XLS file that delivers SunSeed onto infected hosts, implying that the latest campaign could be a continuation of these attacks.
“The social engineering used in this phishing campaign were very timely, following a NATO Security Council meeting on February 23, 2022 and a news storey about a Russian government’s ‘kill list’ targeting Ukrainians that began circulating in Western media outlets on February 21, 2022.”
Ukraine’s Computer Emergency Response Team (CERT-UA) described the ongoing developments as a “information and psychological war,” urging people in the country to closely monitor their accounts for unrecognised devices, enable two-factor authentication, and use end-to-end encrypted messaging apps.
Furthermore, email security firm Avanan reported an eightfold increase in email-borne attacks originating in Russia beginning on February 27, with at least some of them targeting manufacturing, international shipping, and transportation companies in the United States and Europe.
Finally the researchers concluded that ,” In light of the ongoing Russia-Ukraine war, actions by proxy actors such as TA445 will continue to target European governments in order to gather intelligence on the movement of refugees from Ukraine and on issues of importance to the Russian government.”
Indicators of Compromise
| Type of IOC | Description | |
| <redacted>@ukr[.]net | Sender Email | February 24, 2022 |
| IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022 | Email Subject | February 24, 2022 |
| list of persons.xls 1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3 | Attachment | February 24, 2022 |
| 84.32.188[.]96 | IP | Actor Controlled IP |
| qwerty_setup.msi31d765deae26fb5cb506635754c700c57f9bd0fc643a622dc0911c42bf93d18f | MSI Package | Malicious MSI Package |
| print.lua 7bf33b494c70bd0a0a865b5fbcee0c58fa9274b8741b03695b45998bcd459328 | Lua Script | Malicious Lua Script Payload |
| luacom.dll f97f26f9cb210c0fcf2b50b7b9c8c93192b420cdbd946226ec2848fd19a9af2cltn12.lua b1864aed85c114354b04fbe9b3f41c5ebc4df6d129e08ef65a0c413d0daabd29mime.lua e9167e0da842a0b856cbe6a2cf576f2d11bcedb5985e8e4c8c71a73486f6fa5ahttp.lua d10fbef2fe8aa983fc6950772c6bec4dc4f909f24ab64732c14b3e5f3318700csocket.dll 3694f63e5093183972ed46c6bef5c63e0548f743a8fa6bb6983dcf107cab9044mime.dll 976b7b17f2663fee38d4c4b1c251269f862785b17343f34479732bf9ddd29657lua5.1.dll fbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933furl.lua 269526c11dbb25b1b4b13eec4e7577e15de33ca18afa70a2be5f373b771bd1absppsvc.exe 737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8tp.lua343afa62f69c7c140fbbf02b4ba2f7b2f711b6201bb6671c67a3744394084269socket.lua 15fd138a169cae80fecf4c797b33a257d587ed446f02ecf3ef913e307a22f96d | Files | Legitimate Lua Dependencies |
| Software Protection Service.lnk | File Name | Persistence File Name |
| AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Software Protection Service.lnk | Directory Path | Persistence File Directory |
| C:\ProgramData\.security-soft | Directory Path | Lua Files Installation Directory |
| hxxp://84.32.188[.]96/<hexadecimal_value> | URL | Command and Control |
| list of participants of the briefing.xlsa8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0 | File | Phishing AttachmentJuly 2021 |
| 157.230.104[.]79 | IP | Actor Controlled IPJuly 2021 |
| i.msi2e1de7b61ed25579e796ec4c0df2e25d2b98a1f8d4fdb077e2b52ee06c768fca | MSI Package | Malicious MSI PackageJuly 2021 |
| hxxp://45.61.137[.]231/?id=<hexdecimal_value> | URL | Command and Control |
| wlua5.1.exe737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8core.lua737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8luacom.dllf97f26f9cb210c0fcf2b50b7b9c8c93192b420cdbd946226ec2848fd19a9af2cstruct.dll5b317f27ad1e2c641f85bef601740b65e93f28df06ed03daa1f98d0aa5e69cf0ltn12.luab1864aed85c114354b04fbe9b3f41c5ebc4df6d129e08ef65a0c413d0daabd29mime.luae9167e0da842a0b856cbe6a2cf576f2d11bcedb5985e8e4c8c71a73486f6fa5ahttp.luad10fbef2fe8aa983fc6950772c6bec4dc4f909f24ab64732c14b3e5f3318700csocket.dll3694f63e5093183972ed46c6bef5c63e0548f743a8fa6bb6983dcf107cab9044core.dll9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071core.lua20180a8012970453daef6db45b2978fd962d2168fb3b2b1580da3af6465fe2f6mime.dll976b7b17f2663fee38d4c4b1c251269f862785b17343f34479732bf9ddd29657lua5.1.dllfbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933furl.lua269526c11dbb25b1b4b13eec4e7577e15de33ca18afa70a2be5f373b771bd1abalien.lua303e004364b1beda0338eb10a845e6b0965ca9fa8ee16fa9f3a3c6ef03c6939ftp.lua343afa62f69c7c140fbbf02b4ba2f7b2f711b6201bb6671c67a3744394084269socket.lua15fd138a169cae80fecf4c797b33a257d587ed446f02ecf3ef913e307a22f96d | Files | Lua DependenciesJuly 2021 |
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 