Thwarting a Russian-Based Cyberattack on a Global Bank

The financial services industry is, as Fraud Watch confirms*, always a particularly tempting target for phishing attacks. 

New insight has come to light on how HYAS Insight, an advanced threat intelligence and investigation platform, used WHOIS information and passive DNS data against AS200593, a Russian-based threat system tied to malicious indicators of compromise (IoCs), targeting global organizations. 

Bulletproof web hosting services, like those under AS200593, provide an anonymous platform for malware and illicit activities such as phishing campaigns, and prevent cybersecurity teams from tracking and counteracting malicious campaigns. Bad actors then seize on the use of trusted and seemingly benign tools such as `livechat.exe` to target victims. 

Traditional methods of cyber monitoring are no match for the protective cover that bulletproof hosting services offer threat actors, so we were fascinated to see how HYAS Insight thwarted Russian adversary infrastructure AS200593’s attack attempt on a global bank.

The Attack

AS200593’s ploy was common but effective: setting up phishing domains specifically designed to target clients and users of global organizations, coaxing victims to reach out to IT for seemingly urgently needed assistance, and then getting them to download a malware-laden `livechat.exe` tool. Once installed, the executable opened a backdoor into the victim’s system that gave the attackers undetected remote access. 

The approach had worked countless times. But not this time. 

The Hunter Becomes the Hunted 

The bank leveraged the HYAS Insight threat intelligence and investigation platform’s advanced monitoring capabilities, which flagged the suspicious activities emanating from AS200593, including newly stood-up phishing domains that were yet to be otherwise identified as malicious. HYAS Insight’s comprehensive WHOIS information and passive DNS data let the cybersecurity team track the evolution and spread of these domains.

HYAS experts report that HYAS Insight “discovered that `livechat.exe`, the tool used by the attackers, inadvertently logged the external IP addresses communicating with the application,

which surfaced additional Indicators of Compromise (IoCs) for HYAS Insight to pivot off of, and attribute the threat actor’s specific geolocation.” 

The origins and scope of the attack were revealed, and global organizations and law enforcement agencies moved to disrupt the organization and mitigate the threat. 



Even highly sophisticated and regularly retrained users are not immune to social engineering attacks.

New twists on long-standing tactics will continue to be used in attacks. Couple these tried & true tactics with the threat of advanced, AI-driven malware, and the levels of organizational risk for prime targets such as the global bank expand exponentially.

But Insight is empowering:

Seemingly minor data points in cybersecurity, when coupled with the advanced insight to leverage them, are invaluable in preventing and thwarting crime.

Threat and fraud response teams, when provided with the advanced visibility to identify threat actors and adversarial infrastructure, work hand in hand with law enforcement to block and mitigate attacks.

By deeply leveraging in-depth WHOIS data, HYAS Insight enabled the bank’s security and fraud teams to uncover the identities behind malicious domains, trace their origins and connections, and reveal patterns and potential vulnerabilities within the threat actor’s infrastructure. In this case, real-time monitoring of new domains set up within AS200593 alerted the teams to emerging threats.

More on the attack, advice on user education, and actionable insight to attribute threats to specific sources is available at:
Organizations who suspect they may be under attack or concerned that their security team may not have found everything after their last breach can contact HYAS for a complimentary security consultation at:

*Fraudwatch: Why phishing attacks target financial services and what are the risks?

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.