Full Report
TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.
Analysis Summary
# Threat Actor: TA866 (Asylum Ambuscade)
## Attribution & Identity
The threat actor is known as **TA866** or **Asylum Ambuscade**. They have been active since at least 2020. Cisco Talos assesses with high confidence that TA866 frequently leverages business relationships with other threat actors across various stages of their attacks. Activity associated with **WarmCookie/BadSpace** is also attributed to TA866, suggesting WarmCookie was likely developed by the same actor that developed the **Resident backdoor**.
## Activity Summary
TA866 conducts intrusion operations, historically focused on financially motivated malware campaigns, though prior reporting suggests possible involvement in espionage-related activities. Since early 2023, they have shown evolution in tooling and TTPs. Initial access is generally achieved via malspam or malvertising, often redirecting victims through Traffic Distribution Systems (TDS) like 404 TDS before deploying malicious content. Recent activity in early 2024 included the deployment of Cobalt Strike and CSharp-Streamer-RAT following initial WarmCookie installation. They use commodity and custom tooling for post-compromise activities.
## Tactics, Techniques & Procedures
- Initial access via **malspam** or **malvertising**.
- **Email thread hijacking** observed in malspam campaigns to increase legitimacy.
- Redirection to **Traffic Distribution Systems (TDS)**, such as 404 TDS, for malware installation services.
- Initial post-compromise payload deployment includes **WasabiSeed**, **ScreenShotter**, and **AHK Bot**.
- Subsequent deployment of backdoors and tools: **Resident backdoor**, **CSharp-Streamer-RAT**, **Cobalt Strike**, and **Rhadamanthys**.
- Use of utilities for enumeration and reconnaissance, such as **AdFind** and network scanners.
- Deployment of remote access solutions like **AnyDesk** and **Remote Utilities**.
- Observed unique characteristic: SSL certificates for CSharp-Streamer-RAT C2 servers generated using a programmatically populated algorithm.
## Targeting
- Sectors: Primarily associated with **financially motivated** campaigns, but current activity suggests potential involvement in **espionage-related activities**.
- Geography: Not explicitly detailed, but previous reporting mentions targeting US and Canadian bank customers.
- Victims: Corporate networks targeted for intrusion.
## Tools & Infrastructure
- **Malware Families:** WarmCookie/BadSpace, Resident backdoor, WasabiSeed, ScreenShotter, AHK Bot, CSharp-Streamer-RAT, Cobalt Strike, Rhadamanthys.
- **Utilities:** AdFind, network scanners (e.g., NetPing mentioned in signature list).
- **Remote Access Tools:** AnyDesk, Remote Utilities.
- **Infrastructure:** C2 servers observed for CSharp-Streamer-RAT, including `185[.]73[.]124[.]164` and `109[.]236[.]80[.]191`.
## Implications
TA866 is a continuously evolving threat actor demonstrating adaptability in their malware tooling and TTPs to effectively gain and maintain access to corporate networks to pursue their objectives. Their reliance on complex initial access vectors (malspam/malvertising through TDS) and established post-compromise toolkits indicates a persistent and organized operation.
## Mitigations
- Utilize **Cisco Secure Web Appliance** to block dangerous sites and test suspicious content.
- Employ **Firewall Management Center** for context-aware protection.
- Implement **Cisco Duo** for multi-factor authentication to restrict unauthorized access.
- Deploy defenses capable of detecting the observed malware families (WasabiSeed, WarmCookie, CSharpStreamer, Rhadamanthys) using updated security signatures (Snort/ClamAV rulesets listed in the source detail).