Hackers are exploiting code from a Python clone of Microsoft’s classic Minesweeper game to conceal malicious scripts in attacks targeting financial institutions in Europe and the US.
Ukraine’s CSIRT-NBU and CERT-UA have identified the threat actor ‘UAC-0188’ as responsible for these attacks. They are using the legitimate game code to hide Python scripts that download and install the SuperOps RMM (Remote Monitoring and Management) software. SuperOps RMM, though legitimate, provides remote actors with direct access to compromised systems.
CERT-UA’s investigation into the initial discovery has uncovered at least five breaches in financial and insurance sectors across Europe and the United States linked to these same files.
The attack initiates with an email from “support@patient-docs-mail.com,” posing as a medical center with the subject “Personal Web Archive of Medical Documents.” The email prompts recipients to download a 33MB .SCR file from a Dropbox link. This file includes harmless code from a Python clone of Minesweeper, alongside malicious Python code designed to download additional scripts from a remote source, “anotepad.com.”
Incorporating Minesweeper code within the executable helps disguise the 28MB base64-encoded string containing the malicious code, making it seem benign to security software. The Minesweeper code features a function named “create_li
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: