Hackers are exploiting a Python clone of Microsoft’s Minesweeper game to embed malicious scripts in attacks against financial organizations in Europe and the US. The attacks, attributed to threat actor ‘UAC-0188’ by Ukraine’s CSIRT-NBU and CERT-UA, involve hiding Python scripts within legitimate Minesweeper code to download and install the SuperOps RMM remote management software. SuperOps RMM, although a legitimate tool, is used by hackers to gain unauthorized access to compromised systems, as reported by CERT-UA, which has identified at least five potential breaches across financial and insurance institutions.
The attack commences with phishing emails sent from spoofed addresses, enticing recipients to download a seemingly innocuous .SCR file from Dropbox under the guise of a medical center’s web archive. This file contains both benign Python Minesweeper code and concealed malicious Python scripts, downloaded from a remote source, aiming to evade detection by security software. By including Minesweeper code within the executable, hackers attempt to mask a 28MB base64-encoded string containing the harmful code, leveraging legitimate components to camouflage their cyberattack.
Furthermore, the Minesweeper code features a function, “create_license_ver,” repurposed to decode and execute the hidden malicious code, facilitating the installation of SuperOps RMM. Once decoded, the base64 string assembles a ZIP file containing an MSI installer for SuperOps RMM, which is then executed using a static password, granting unauthorized access to the victim’s computer. Organizations not using SuperOps RMM are cautioned by CERT-UA to remain vigilant for related network activity and indicators of compromise, underscoring the need for heightened cybersecurity measures to thwart such sophisticated attacks.
