Cyber Security Alert: Trojanised Minesweeper Clone Targets Financial Institutions - Cyber and Fraud Centre

Background on the Threat

Hackers are leveraging a Python clone of the classic Minesweeper game to hide malicious scripts. This sophisticated attack, attributed to the threat actor tracked as ‘UAC-0188,’ is targeting financial and insurance organisations in Europe and the United States. The attackers use this innocuous-looking game to distribute the SuperOps Remote Monitoring and Management (RMM) software, providing them unauthorised access to compromised systems.

How the Attack Unfolds

The attack chain begins with a phishing email, impersonating a medical centre, sent from the address “[email protected].” The email subject is “Personal Web Archive of Medical Documents,” and it prompts the recipient to download a 33MB .SCR file from a provided Dropbox link. This file contains both the benign Minesweeper game code and malicious Python scripts.

Once downloaded, the Minesweeper code, which includes a function named “create_license_ver,” is repurposed to decode and execute the hidden malicious code. This code downloads additional scripts from a remote source, ultimately assembling a ZIP file that contains an MSI installer for SuperOps RMM. The installer is extracted and executed, granting the attackers direct access to the victim’s system using a static password.

Technical Details and Indicators of Compromise (IoCs)

The inclusion of Minesweeper code within the executable helps disguise the 28MB base64-encoded string containing the malicious code, making it appear benign to security software. The decoded string assembles a ZIP file containing an MSI installer for the SuperOps RMM, which is executed to facilitate unauthorised access.

CERT-UA reports at least five potential breaches involving the same files in financial and insurance institutions across Europe and the United States. The IoCs provided by CERT-UA include network activity related to the domains “superops.com” and “superops.ai,” which should be treated as signs of hacker compromise if the SuperOps RMM product is not in use.

Preventive Measures

To mitigate the risk of falling victim to such attacks, organisations and individuals should consider the following preventive measures:

Email Security: Be cautious of unsolicited emails, especially those prompting downloads. Verify the sender’s address and the legitimacy of the content.
Network Monitoring: Monitor network activity for unusual patterns, especially calls to suspicious domains such as “superops.com” and “superops.ai.”
Endpoint Protection: Utilise robust endpoint protection solutions that can detect and block malicious activities. Ensure all security software is up-to-date.
User Training: Educate employees about phishing attacks and the importance of not downloading attachments from unknown sources.

What to Do if You’ve Been a Victim

If you suspect that your system has been compromised by this or a similar attack, take the following steps immediately:

Isolate the Affected System: Disconnect the affected system from the network to prevent further spread of the malware.
Conduct a Full Scan: Use comprehensive security software to perform a full system scan and identify any malicious activities.
Change Passwords: Change all passwords, especially those used for accessing critical systems and services.
Report the Incident: Report the breach to your organisation’s cyber security team and relevant authorities to help mitigate the threat and prevent future incidents.
Review Security Policies: Reassess and strengthen your organisation’s security policies and practices to avoid similar incidents in the future.

The use of a Trojanised Minesweeper clone to distribute malicious software underscores the evolving nature of cyber threats. For more detailed information and updates on this threat, refer to the reports from CERT-UA and other cyber security resources below:

30.05.24

Threat Intelligence Alerts