U.S. and European financial and insurance organizations were noted by Ukraine's Computer Emergency Response Team and the Cyber Security Center of the National Bank of Ukraine to have been targeted by the UAC-0188 threat operation in attacks leveraging a trojanized Python clone of the Minesweeper game to stealthily deploy the SuperOps RMM remote access tool, BleepingComputer reports.
Intrusions commence with the delivery of a medical center-spoofing email from the "[email protected]" address that includes a Dropbox link, which would redirect to downloading an .SCR file that not only has the code from the cloned Minesweeper game but also the malicious Python code used for further remote script downloads, according to a report from CERT-UA.
Aside from obfuscating a base64-encoded string with malicious code, the Minesweeper code present in the executable also enables code decoding and execution, which eventually results in the execution of SuperOps RMM, which attackers later use to infiltrate targeted organizations' computers, researchers added.