Hackers exploit a Python Minesweeper clone to infiltrate financial organizations, using hidden scripts to install remote access tools. Learn how to protect your systems.

Continue reading
In a sophisticated cyber attack targeting financial organizations in Europe and the United States, hackers have utilized a Python clone of Microsoft's classic Minesweeper game to conceal malicious scripts. This technique, reported by Ukraine's CSIRT-NBU and CERT-UA, is attributed to the threat actor identified as UAC-0188.
The attackers have ingeniously embedded Python code within the game to download and install SuperOps RMM, a legitimate remote management software, thereby gaining unauthorized access to compromised systems.
This Threatfeed delves into the technical intricacies of the attack, dissects the malicious code, and provides actionable insights for cybersecurity professionals.
The attack initiates with a phishing email from "[email protected]," masquerading as a medical center. The email subject, "Personal Web Archive of Medical Documents," lures recipients into downloading a malicious .SCR file from a Dropbox link. This 33MB file contains both harmless Minesweeper game code and hidden malicious Python scripts.
The .SCR file includes legitimate Minesweeper code along with a 28MB base64-encoded string. This string is designed to appear benign to security software. The Minesweeper code incorporates a function named "create_license_ver," repurposed to decode and execute the malicious code. The use of familiar, legitimate software components effectively masks the cyber attack.
The Python clone of Minesweeper includes embedded malicious scripts. Below is a simplified example of how the malicious code is concealed within the Minesweeper game code:
import base64
import os
def create_license_ver():
# Decoding base64 string
encoded_data = "BASE64_ENCODED_STRING"
decoded_data = base64.b64decode(encoded_data)
# Writing the decoded data to a file
with open("malicious.zip", "wb") as file:
file.write(decoded_data)
# Extracting and executing the ZIP file
os.system("unzip malicious.zip -d /tmp/malicious && cd /tmp/malicious && ./install.sh")This function, `create_license_ver`, decodes a base64 string to a ZIP file containing the SuperOps RMM installer. The script then extracts and executes this ZIP file, granting remote access to the attackers.
SuperOps RMM, typically a legitimate tool, is misused in this attack. Once installed, it provides attackers with direct access to the victim's system.
The MSI installer, extracted from the ZIP file, uses a static password for installation, bypassing standard security measures. The presence of SuperOps RMM on systems not using this tool is a clear indicator of compromise.
CERT-UA has shared several IoCs associated with this attack. Organizations should monitor for the following signs:
Organizations should enhance email filtering to block malicious attachments and links. Regular training sessions can help employees recognize phishing attempts.
Implement file integrity monitoring to detect unauthorized changes. Monitor for unusual file types, such as .SCR, being downloaded and executed.
Regularly analyze network traffic for connections to suspicious domains. Immediate action should be taken if traffic to "superops.com" or "superops.ai" is detected.
Conduct thorough reviews of all third-party code and applications. Use application whitelisting to prevent unauthorized software from running.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation