A malicious attack aimed at gaining illegal access to systems within Ukrainian businesses through the use of SuperOps RMM, a remote control tool, was identified and analysed with the combined efforts of CSIRT-NBU and CERT-UA.
SuperOps RMM, or Remote Monitoring and Management, is a software platform for managed service providers (MSPs) and IT professionals. It allows them to administer and monitor customer IT systems remotely. The platform includes a variety of solutions to optimise IT processes, improve security, and increase productivity.
The hackers disguised malicious scripts in attacks on financial institutions in Europe and the US by using code from a Python clone of Microsoft’s popular Minesweeper game.
According to CERT-UA research, this attack turned up at least five possible breaches in banking and insurance organisations in the US and Europe.
An email from “support@patient-docs-mail.com,” pretending to be a medical facility, initiates the attack. The title of the email is “Personal Web Archive of Medical Documents”.
The instructions direct recipients to download a 33MB .SCR file from a Dropbox URL. In addition to malicious Python code that downloads other scripts from a remote site (“anotepad.com”), this file also includes unnoticed code from a Python clone of Minesweeper.
It is easier to hide the 28MB base64-encoded string containing malicious code by including Minesweeper code inside the executable. This method tries to make the file look insignificant to security software. The Minesweeper source also includes the method “create_license_ver”.
Attackers use this method to decode and execute hidden harmful code. The component hides and helps the cyberattack by utilising legitimate software components. The system generates an MSI installation for SuperOps RMM in a ZIP file after decoding the base64 text. After that, this installer is unzipped and run using a static password.
SuperOps RMM, like Cobalt Strike, is vulnerable to misuse. This programme gives attackers the ability to remotely access compromised systems. After breaking into a system, attackers enhance their strategies. They could release additional malware or pilfer sensitive information, including login passwords, financial information, and other vital data. Advanced phishing attacks utilise this strategy, particularly when targeting the financial sector.
CERT-UA has released numerous warnings of compromise (IoCs) to assist organisations in identifying and addressing these security incidents. SuperOps RMM monitoring and any network traffic involving names like “superops.com” or “superops.ai” are two important suggestions.
Administrators of IT systems need to exercise caution. SuperOps RMM found on their network without any prior installation or usage knowledge should be regarded as a possible indicator of compromise.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.