Hackers are using code from a Python clone of Microsoft’s venerable Minesweeper recreation to cover malicious scripts in assaults on European and US monetary organizations.
Ukraine’s CSIRT-NBU and CERT-UA attribute the assaults to a risk actor tracked as ‘UAC-0188,’ who’s utilizing the legit code to cover Python scripts that obtain and set up the SuperOps RMM.
Superops RMM is a legit distant administration software program that provides distant actors direct entry to the compromised methods.
CERT-UA experiences that analysis following the preliminary discovery of this assault revealed at the least 5 potential breaches by the similar recordsdata in monetary and insurance coverage establishments throughout Europe and america.
Assault particulars
The assault begins with an electronic mail despatched from the tackle “help@patient-docs-mail.com,” impersonating a medical heart with the topic “Private Net Archive of Medical Paperwork.”
The recipient is prompted to obtain a 33MB .SCR file from the supplied Dropbox hyperlink. This file incorporates innocuous code from a Python clone of the Minesweeper recreation together with malicious Python code that downloads further scripts from a distant supply (“anotepad.com”).
Together with Minesweeper code throughout the executable serves as a canopy for the 28MB base64-encoded string containing the malicious code, trying to make it seem benign to safety software program.
Moreover, the Minesweeper code incorporates a operate named “create_license_ver” which is repurposed to decode and execute the hidden malicious code, so legit software program parts are used for masking and facilitating the cyberattack.
The base64 string is decoded to assemble a ZIP file that incorporates an MSI installer for SuperOps RMM, which is ultimately extracted and executed utilizing a static password.
Supply: CERT-UA
SuperOps RMM is a legit distant entry device, however on this case it’s used to grant the attackers unauthorized entry to the sufferer’s pc.
CERT-UA notes that organizations not utilizing the SuperOps RMM product ought to deal with its presence or associated community exercise, akin to calls to the “superops.com” or” superops.ai” domains, as an indication of hacker compromise.
The company has additionally shared further indicators of compromise (IoCs) related to this assault on the backside of the report.