May 27, 2024 at 02:08AM
Hackers are using a Python clone of Minesweeper to conceal malicious scripts in attacks on US and European financial organizations, as reported by Ukraine’s CSIRT-NBU and CERT-UA. The attacks involve the installation of SuperOps RMM, granting unauthorized access. The email-based attack disguises the malicious code within the Minesweeper game, bypassing security software.
Key takeaways from the meeting notes:
1. Hackers are using a Python clone of Minesweeper to hide malicious scripts in attacks on European and US financial organizations.
2. The attacks have been attributed to a threat actor tracked as ‘UAC-0188,’ who is using legitimate code to hide Python scripts that download and install the SuperOps RMM.
3. The SuperOps RMM, a legitimate remote management software, is being utilized by threat actors to gain unauthorized access to compromised systems.
4. The attack begins with an email containing an innocuous 33MB .SCR file from a Dropbox link, which includes both Minesweeper code and malicious Python code.
5. The Minesweeper code is used to disguise a base64-encoded string containing the malicious code, aiming to appear benign to security software.
6. The attack chain involves using the hidden malicious code to assemble and execute an MSI installer for SuperOps RMM, granting unauthorized access to the victim’s computer.
7. Organizations not using the SuperOps RMM product should treat its presence or related network activity as a sign of compromise.
The additional indicators of compromise (IoCs) shared by CERT-UA at the bottom of the report should be reviewed for further insight into potential threat activity.