Hackers are reportedly using malicious scripts within a spoofed version of Microsoft’s classic Minesweeper game to launch attacks on financial organizations in Europe and the U.S.
Ukraine‘s cybersecurity teams, the Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and the Government Computer Emergency Response Team of Ukraine (CERT-UA) have linked these attacks to a known threat actor identified as ‘UAC-0188’. The hacking group is also referred to as “FRwL,” which likely stands for “From Russia with Love,” the title of a 1963 James Bond movie.
The group exploits the actual game code to conceal Python scripts that allow the download and installation of SuperOps RMM. It is said to be distributing phishing emails from the address “[email protected],” pretending to be a medical center.
These emails use the subject “Personal Web Archive of Medical Documents” and include a 33 MB attachment. The attachment is a .SCR file hosted on Dropbox, which contains the code from the well-known Minesweeper game for Windows.
The Minesweeper code includes a function called “create_license_ver” that has been modified to decode and execute the hidden malicious code. The legitimate SuperOps RMM program is then downloaded and installed from a ZIP file, providing attackers with remote access to the targeted computer.
CERT-UA confirmed that investigations into the cyberattack uncovered at least five possible intrusions involving the same files at financial and insurance organizations throughout Europe and the United States.
CERT-UA advises the following measures:
- Organizations not using SuperOps RMM should confirm there is no network activity related to the domain names: [.]superops[.]com, [.]superops[.]ai
- Improve employee cyber hygiene practices
- Employ and routinely update antivirus software
- Update operating systems and other software continuously
- Implement robust passwords and update them frequently
- Regularly back up critical data.
Hackers use SuperOps RMM to launch phishing attacks
SuperOps RMM, a legitimate remote management software, enables remote users to gain direct access to the systems they compromise.
Ransomware gangs are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools in their attacks. RMM software like AnyDesk, Atera, and Splashtop is important for IT administrators to manage devices remotely across their networks.
However, these tools can also be misused by ransomware gangs to infiltrate corporate networks and steal data, enabling them to “live off the land.”
FromRussiaWithLove is a hacktivist group with ties to Russian state interests that surfaced during the Russia-Ukraine conflict in 2022. They have predominantly targeted sectors such as critical infrastructure, media, energy, and government.
FRwL has been associated with deploying the Vidar stealer and Somnia ransomware, using them as data wipers rather than for financial extortion.
Details on the targets and the number of organizations compromised by these tactics remain unclear.
Featured image: Ideogram / Canva