Python clone of Minesweeper used to attack European and US institutions
Using a Python clone of Microsoft’s beloved game Minesweeper, hackers try to obtain unauthorized remote access to European and US financial organizations.
The Cyber Security Incident Response Team of the National Banking System of Ukraine (CSIRT-NBU) and the Computer Emergency Response Team of Ukraine (CERT-UA) collectively recorded and analyzed a cyber attack against multiple Ukrainian organizations, as well as five financial and insurance institutions in Europe and the United States.
The attack began with an email sent from the address ‘[email protected]’ to potential victims. Using this address the attackers tried to impersonate a medical center. The email contained a link to Dropbox, from which a 33 MB .SCR executable file would be downloaded. This file was created using PyInstaller and encompassed a legitimate Python clone of Microsoft’s well known game Minesweeper.
At the same time, the file came along with a malicious Python code that downloads additional scripts from a remote source. One of those scripts is a 28 MB base64-encoded string, which sole purpose was to mislead security software into thinking it's benevolent code.
Additionally, the Python clone of Minesweeper contained a function called “create_license_ver”. Its objective was to hide the hidden malicious code used to facilitate the cyber attack.
The main objective of the malicious Python code however was to download and install the SuperOps RMM. That’s legitimate access management software, but in this case it was used to give third parties unauthorized and direct access to compromised computer systems.
CSIRT-NBU and CERT-UA believe that a threat actor called ‘UAC-0188’ is responsible for the cyber attacks on the Ukrainian, European and US financial organizations. The attacks were carried out in February and March.
CSIRT-NBU and CERT-UA recommend that system administrators of financial institutions make sure that there is no network activity associated with the domain names .superops.com and .superops.ai.
Your email address will not be published. Required fields are marked