HYAS Insight Uncovers and Mitigates Russian-Based Cyberattack

Russian-Based Adversary Infrastructure AS200593

In this blog, we review a recent case study and detail how HYAS Insight, an advanced threat intelligence and investigation platform, was used to leverage WHOIS information and passive DNS data to enhance the monitoring, tracking, and mitigation strategies against the sophisticated cyber threat, AS200593.

AS200593 is a Russian-based system tied to malicious indicators of compromise (IoCs), targeting global organizations. The financial services industry always makes for a tantalizing target for phishing attacks, and in this case, a threat actor was using AS200593 to host and operate phishing domains, employing tools like `livechat.exe` to compromise victim machines.

Bulletproof Hosting Services: A Haven for Criminals

The emergence of bulletproof hosting services presents a formidable challenge in cybersecurity. These services often operate without risk of law enforcement and provide a secure haven for cybercriminals to conduct operations with little oversight, posing a significant threat to organizational security.

Bulletproof hosting services, like those under AS200593, offer a platform for malicious activities, making it difficult for cybersecurity teams to track and counteract these operations. The use of `livechat.exe` in phishing domains is a cunning strategy, as it appears benign but can unleash significant harm once executed on a victim's machine.

Traditional methods of cyber monitoring face challenges against the protective layers provided by bulletproof hosting services. However, leveraging HYAS Insight's advanced capabilities can turn the tide.

Case Study

This case study delves into how we used HYAS Insight to effectively identify and monitor Russian adversary infrastructure AS200593 targeting a global bank.

Background

AS200593 was identified as a significant source of cyber threats. The threat actors behind this system employed a cunning strategy: setting up phishing domains specifically designed to target clients and users of global organizations. The primary attack vector was a deceptively simple yet effective one—tricking victims into reaching out for IT assistance and downloading a seemingly benign tool, `livechat.exe`. This executable, once installed, granted remote access to the threat actors.

The Attack Method

The modus operandi of the attackers was to create a sense of urgency or necessity around IT issues, luring unsuspecting victims into downloading `livechat.exe`. Once downloaded, this tool provided the attackers with a backdoor into the victim's system, allowing them to access sensitive information, monitor activities, or even deploy further malware.

Identify and Mitigate

The HYAS Insight threat intelligence and investigation platform played a pivotal role in identifying and mitigating this threat. The platform's advanced monitoring capabilities flagged the suspicious activities emanating from AS200593, particularly focusing on the newly stood-up phishing domains. By leveraging HYAS Insight's comprehensive WHOIS information and passive DNS data, the cybersecurity team could track the evolution and spread of these domains.

A significant breakthrough came when HYAS Insight discovered that `livechat.exe`, the tool used by the attackers, inadvertently logged the external IP addresses communicating with the application. This information provided HYAS with additional Indicators of Compromise (IoCs) to pivot off of, enabling the attribution of the threat actor to a specific geolocation. This discovery was instrumental in understanding the scope and origin of the attack.

Armed with this information, HYAS Insight could collaborate with global organizations and law enforcement agencies to mitigate the threat. The comprehensive intelligence provided by HYAS Insight may lead to the takedown of the phishing domains and the disruption of the threat actor's operations. This case not only highlights the effectiveness of HYAS Insight in combating sophisticated cyber threats but also underscores the importance of detailed analysis and the value of seemingly minor data points in cybersecurity.

Conclusion

Social engineering is a pervasive threat that impacts users of all skill levels. Users must be educated to consistently deny remote access to their devices to individuals they are not acquainted with. No financial institution would ever call a client to request a software installation. Scammers will often threaten legal or financial jeopardy to create a sense of urgency and reduce the victims ability to think critically.

The case of AS200593 is a stark reminder of the evolving nature of cyber threats and the sophistication of modern threat actors. It also showcases the crucial role of advanced cyber intelligence solutions like HYAS Insight in identifying, understanding, and mitigating these threats. By providing actionable intelligence and the ability to attribute threats to specific sources, HYAS Insight proves to be an invaluable asset in the global fight against cybercrime.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack. This includes the origin and current infrastructure being used and any infrastructure.

Leveraging WHOIS Information

HYAS Insight provides in-depth WHOIS information, crucial for uncovering the identities behind malicious domains. Access to this database allows for tracing the origins and connections of these domains, revealing patterns and potential vulnerabilities within the threat actor's infrastructure.

Using Passive DNS Data to Track Phishing Domains

HYAS Insight's passive DNS data is instrumental in tracking the creation and movement of phishing domains. This data enables real-time monitoring of new domains set up within AS200593, alerting teams to emerging threats.

Under Attack? Not Sure If You’ve Found Everything After Your Last Breach?

Reach out to HYAS for a complimentary security consultation.

Back to Blog