Minesweeper Exploited: Cybercriminals Target Ukrainian Finances

Cybercriminals are using the Python code of Microsoft’s legendary game “Minesweeper” to conceal malicious scripts in attacks on financial and insurance organizations in Ukraine. This was reported by the research agencies CERT-UA and CSIRT-NBU, who attribute these attacks to a group called “UAC-0188.”

In their malicious campaign, the hackers utilize legitimate game code to hide Python scripts that download and install SuperOps RMM. SuperOps RMM is legitimate remote management software that allows attackers to gain access to compromised systems.

Minesweeper

CERT-UA’s research has revealed that this method has been used in at least five breaches in financial and insurance companies in Europe and the United States, indicating that the geography of the attacks is not limited to Ukraine and could potentially expand to other countries in the future.

The attack begins with an email sent from the address “support@patient-docs-mail.com,” purportedly representing a medical center. The email subject is “Personal Web Archive of Medical Documents.”

The recipient is asked to download a 33 MB file from Dropbox. This file contains the Python code for the “Minesweeper” clone and malicious Python code that downloads additional scripts from “anotepad.com.”

The game code is used to disguise a 28-megabyte base64 string containing the malicious code. The game also includes a “create_license_ver” function, which is used to decode and execute the hidden malicious code.

The base64 string is decoded, creating a ZIP file that contains an MSI installer for SuperOps RMM. This file is then extracted and executed using a static password.

SuperOps RMM is a legitimate remote access tool, but in this case, it is used to grant unauthorized access to the victims’ computers.

CERT-UA notes that organizations not using SuperOps RMM should consider its presence or related network activities, such as requests to domains “superops.com” or “superops.ai,” as indicators of compromise. The agency also shared additional indicators of compromise associated with this attack.