Home Hackers attack banks’ computers with a spoofed version of Minesweeper game

Hackers attack banks’ computers with a spoofed version of Minesweeper game

tl;dr

  • Hackers exploit Minesweeper game to target financial institutions in Europe and U.S.
  • Attack linked to 'UAC-0188' group, also known as "FRwL," using Python scripts to install SuperOps RMM.
  • Phishing emails deliver malicious code concealed within Minesweeper, providing remote access to compromised computers.

Hackers are reportedly using malicious scripts within a spoofed version of Microsoft’s classic Minesweeper game to launch attacks on financial organizations in Europe and the U.S.

Ukraine‘s cybersecurity teams, the Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and the Government Computer Emergency Response Team of Ukraine (CERT-UA) have linked these attacks to a known threat actor identified as ‘UAC-0188’. The hacking group is also referred to as “FRwL,” which likely stands for “From Russia with Love,” the title of a 1963 James Bond movie.

The group exploits the actual game code to conceal Python scripts that allow the download and installation of SuperOps RMM. It is said to be distributing phishing emails from the address “[email protected],” pretending to be a medical center.

These emails use the subject “Personal Web Archive of Medical Documents” and include a 33 MB attachment. The attachment is a .SCR file hosted on Dropbox, which contains the code from the well-known Minesweeper game for Windows.

The Minesweeper code includes a function called “create_license_ver” that has been modified to decode and execute the hidden malicious code. The legitimate SuperOps RMM program is then downloaded and installed from a ZIP file, providing attackers with remote access to the targeted computer.

CERT-UA confirmed that investigations into the cyberattack uncovered at least five possible intrusions involving the same files at financial and insurance organizations throughout Europe and the United States.

CERT-UA advises the following measures:

  • Organizations not using SuperOps RMM should confirm there is no network activity related to the domain names: [.]superops[.]com, [.]superops[.]ai
  • Improve employee cyber hygiene practices
  • Employ and routinely update antivirus software
  • Update operating systems and other software continuously
  • Implement robust passwords and update them frequently
  • Regularly back up critical data.

Hackers use SuperOps RMM to launch phishing attacks

SuperOps RMM, a legitimate remote management software, enables remote users to gain direct access to the systems they compromise.

Ransomware gangs are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools in their attacks. RMM software like AnyDesk, Atera, and Splashtop is important for IT administrators to manage devices remotely across their networks.

However, these tools can also be misused by ransomware gangs to infiltrate corporate networks and steal data, enabling them to “live off the land.”

FromRussiaWithLove is a hacktivist group with ties to Russian state interests that surfaced during the Russia-Ukraine conflict in 2022. They have predominantly targeted sectors such as critical infrastructure, media, energy, and government.

FRwL has been associated with deploying the Vidar stealer and Somnia ransomware, using them as data wipers rather than for financial extortion.

Details on the targets and the number of organizations compromised by these tactics remain unclear.

Featured image: Ideogram / Canva

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Suswati Basu
Tech journalist

Suswati Basu is a multilingual, award-winning editor and the founder of the intersectional literature channel, How To Be Books. She was shortlisted for the Guardian Mary Stott Prize and longlisted for the Guardian International Development Journalism Award. With 18 years of experience in the media industry, Suswati has held significant roles such as head of audience and deputy editor for NationalWorld news, digital editor for Channel 4 News and ITV News. She has also contributed to the Guardian and received training at the BBC As an audience, trends, and SEO specialist, she has participated in panel events alongside Google. Her…

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.