Hackers have targeted financial institutions in Europe and the U.S. using a trojanized version of a Minesweeper game written in Python. According to Ukraine’s cybersecurity teams CSIRT-NBU and CERT-UA, the campaign, led by the threat actor known as ‘UAC-0188,’ involves disguising malicious Python scripts within seemingly legitimate code of the game to facilitate malware delivery.
The malicious operation starts with a phishing email from “[email protected],” masquerading as a medical center. The email contains a link to download a 33MB .SCR file from Dropbox, which looks benign due to its inclusion of the Minesweeper code. However, embedded within this file is a malicious 28MB base64-encoded string.
This encoded string, once decoded, reveals a ZIP file that includes an MSI installer for SuperOps RMM—a legitimate remote management tool. Although typically used for legitimate purposes, in this scenario, the tool is exploited to allow attackers remote access to the infected systems.
The trick of using the Minesweeper code serves a dual purpose: it camouflages the harmful components from detection tools and uses one of the game’s functions, “create_license_ver,” to decode and execute the malicious code. This method of hiding malware within harmless-looking applications marks a sophisticated technique to bypass security measures.
CERT-UA has advised that any unauthorized presence of SuperOps RMM, or network activity related to its domains such as “superops.com” or “superops.ai,” should be considered indicators of a security breach. The initial investigation into this attack has already identified at least five potential breaches in the finance and insurance sectors.
