Game over: Hackers use a fake version of Minesweeper to trap victims
Russian hackers are targeting financial institutions in Europe and the United States with nostalgic gaming appeal.
Two security services in Ukraine – CSIRT-NBU and CERT-UA, have warned about a new phishing campaign being carried out by a threat actor they are tracking as “UAC-0188”. This group is also known as ‘FRwL’, which is most likely an abbreviation of ‘From Russia with Love’, a 1963 James Bond film.
The group sends phishing emails from “support@patient-docs-mail.com”, posing as a medical center. The emails have the subject line “Personal web archive of medical documents” and contain a 33 MB attachment, an .SCR file hosted on Dropbox that contains code from a Python clone of the famous Minesweeper Windows game. However, the clone also downloads additional scripts from an external source that, after a few more steps, eventually installs SuperOps RMM.
Abuse of SuperOps RMM
SuperOps RMM, short for Remote Monitoring and Management, is a software platform designed to help Managed Service Providers (MSPs) and IT professionals manage and monitor customers’ IT infrastructure remotely. It integrates various tools and functionalities to streamline IT operations, enhance security and improve efficiency.
The tool is legitimate, but is often misused, similar to what happened with Cobalt Strike. SuperOps RMM grants attackers remote access to compromised systems, which they can then use to deploy more serious malware or infostealers, capturing login credentials, sensitive data, banking information, and more.
IT administrators should monitor their network activity for the presence of SuperOps RMM, and if they don’t typically use the software (or know it isn’t installed at all), they should view the activity as a sign of compromise.
There was no word on who the usual targets are, or how many organizations the group managed to compromise.
Through BleepingComputer