Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Hackers use a Python clone of Minesweeper to target finance institutions

2 min. read

Published onMay 27, 2024

published onMay 27, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Hackers are using a code from a Python clone of Minesweeper to attack financial and insurance organizations from the United States and Europe. According toBleeping Computer, the Computer Security Incident Response Team (CSIRT-NBU) and the Computer Emergency Response Team of Ukraine (CERT-UA) tracked the attack and found UAC-0188 responsible.

The UAC-0188, also known as FromRussiaWithLove, is aRussian hacktivist. The attackers use the Minesweeper code to hide their Python scripts that install the SuperOps RMM, a tool that helps them gain access to the affected systems.

How do hackers use the Minesweeper code?

The wrongdoers disguise themselves as a medical center. They use the[email protected]email. In addition, the subject of the mail is Personal Web Archive of Medical Documents.

In the email, recipients can find a Dropbox link, which leads to a 33 MB .SCR file that contains the code from the Python clone of Minesweeper and a malicious one that downloads additional malware fromanotepad.com.

The Python clone of Minesweeper serves as a decoy for the real 28MB base64-encoded string, which contains the malicious code. Also, thecreate_license_verfunction contained by the code decodes and executes the malware. This process hides the malicious code from security systems.

When the function finishes decoding, it reveals a .ZIP file containing the SuperOps RMM. Then, it extracts and executes it using a static password.

Cybersecurity specialists recommend that if you notice SuperOPS RMM activity on your device, you should be cautious, especially if your organization doesn’t use it. Also, check for calls to the following domains: superops.com and superops.ai. In addition, use an updated antivirus device, back up important data, and change your passwords regularly.

Ultimately, the Minesweeper malware is a serious threat that you shouldn’t treat lightly. CERT-UA revealed five similar files sent in the US and EU. So, be cautious, especially if you run a financial organization.

More about the topics:Cybersecurity,python

Sebastian Filipoiu

Sebastian is a content writer with a desire to learn everything new about AI and gaming. So, he spends his time writing prompts on various LLMs to understand them better. Additionally, Sebastian has experience fixing performance-related problems in video games and knows his way around Windows. Also, he is interested in anything related to quantum technology and becomes a research freak when he wants to learn more.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Sebastian Filipoiu

Sebastian is a content writer with a desire to learn everything new about AI and gaming.