Hackers have leveraged a Python clone of the popular Minesweeper game to infiltrate financial organizations in Europe and the United States. The Ukrainian Computer Security Incident Response Team (CSIRT-NBU) and the Computer Emergency Response Team of Ukraine (CERT-UA) have attributed these cyberattacks to a group identified as ‘UAC-0188.' By embedding malicious scripts within the game code, the attackers managed to install SuperOps RMM, a legitimate remote management software, on compromised systems.
Attack Initiation
The attack begins with a phishing email sent from “[email protected],” masquerading as a medical center. The email, titled “Personal Web Archive of Medical Documents,” prompts recipients to download a 33MB .SCR file from a Dropbox link. This file contains both harmless Minesweeper game code and malicious Python scripts. The attackers use this combination to bypass security software and deliver their payload.
The inclusion of the Minesweeper code serves a dual purpose: it masks the malicious intent and makes the file appear legitimate. The executable file contains a 28MB base64-encoded string, which includes the harmful code. A function within the Minesweeper code, named “create_license_ver,” is repurposed to decode and execute this hidden script. This method allows the attackers to use legitimate software components to facilitate their cyberattack.
Execution and Unauthorized Access
Once the base64 string is decoded, it reconstructs a ZIP file that contains an MSI installer for SuperOps RMM. This installer is then extracted and executed using a static password. Although SuperOps RMM is a legitimate remote access tool, in this instance, it is exploited to grant unauthorized access to the attackers. This enables them to control the victim's computer systems remotely.
The altered Minesweeper game, which appears legitimate, increases the likelihood of user installation without suspicion. The attackers are believed to be financially motivated, targeting finance sector organizations to steal sensitive data and potentially disrupt operations.
Indicators of Compromise
CERT-UA has provided several indicators of compromise (IoCs) to help organizations detect and mitigate the impact of these breaches. These include monitoring for unusual activity related to SuperOps RMM and network activity involving domains such as “superops.com” or “superops.ai.” The agency advises financial institutions to remain vigilant and to verify the legitimacy of any software before installation.
This incident is part of a broader trend of sophisticated phishing attacks targeting the financial sector. Related developments include fake job interviews aimed at developers with a new Python backdoor and the arrest of the creator and seller of Firebird RAT in the U.S. and Australia. These events underscore the ongoing threat posed by phishing attacks and the importance of maintaining robust cybersecurity measures.