Security News > 2024 > May > Hackers phish finance orgs using trojanized Minesweeper clone
Hackers are utilizing code from a Python clone of Microsoft's venerable Minesweeper game to hide malicious scripts in attacks on European and US financial organizations.
Ukraine's CSIRT-NBU and CERT-UA attribute the attacks to a threat actor tracked as 'UAC-0188,' who is using the legitimate code to hide Python scripts that download and install the SuperOps RMM. Superops RMM is a legitimate remote management software that gives remote actors direct access to the compromised systems.
This file contains innocuous code from a Python clone of the Minesweeper game along with malicious Python code that downloads additional scripts from a remote source.
Including Minesweeper code within the executable serves as a cover for the 28MB base64-encoded string containing the malicious code, attempting to make it appear benign to security software.
The Minesweeper code contains a function named "Create license ver" which is repurposed to decode and execute the hidden malicious code, so legitimate software components are used for masking and facilitating the cyberattack.
The base64 string is decoded to assemble a ZIP file that contains an MSI installer for SuperOps RMM, which is eventually extracted and executed using a static password.