HQ/EMEAFind out how we can help your business
Hackers are currently conducting an ongoing cybercriminal operation that leverages the code from a Python clone of Microsoft’s classic Minesweeper game to hide dangerous scripts and target European and American financial institutions.
Researchers attribute the attacks to a notorious threat actor, ‘ UAC-0188,’ who uses legitimate code to conceal Python scripts that download and install the SuperOps RMM. Superops RMM is a legal remote management software that provides threat actors direct access to hacked systems.
Moreover, recent research revealed that the researchers initially discovered the attack on at least five potential breaches caused by identical files in financial and insurance institutions throughout Europe and the United States.
The attackers can execute their attack using the cloned Minesweeper game once their target falls to their phishing attack.
According to an investigation, this attack, which leverages a cloned Minesweeper game, starts with an email from “support@patient-docs-mail.com.” The email impersonates a medical facility with the subject “Personal Web Archive of Medical Documents.”
The email prompts the recipient to download a 33MB SCR file from the specified Dropbox link. However, this file contains benign code from a Python clone of the Minesweeper game and malicious Python code that downloads further scripts from a remote location (“anotepad.com”).
Including the Minesweeper code in the executable covers the 28MB base64-encoded string that houses the malicious code, making it appear harmless to security tools.
The Minesweeper code also includes a method called “create_license_ver” that the actors repurposed to decode and execute the concealed malicious code. Hence, these operators can exploit the legal software components to hide and facilitate their cyberattack.
Furthermore, the operation decodes a base64 string to produce a ZIP file containing an MSI installer for SuperOps RMM, which is then extracted and run using a static password. SuperOps RMM is a valid remote access program that provides attackers unauthorised access to the victim’s PC.
Researchers advise enterprises that do not use the SuperOps RMM software to treat its presence or related network activity, such as calls to the “superops.com” or “superops.ai” domains, as a symptom of hacking activity. Organisations should alert their security teams to be mindful of this cybercriminal operation.
