Russian hackers were found using legitimate remote monitoring and management software to spy on Ukraine and its allies.
The malicious scripts required for downloading and running the RMM program on the victims’ computers are hidden among the legitimate Python code of the “Minesweeper” game from Microsoft.
The Government Computer Emergency Response Team of Ukraine (CERT-UA), operating under the State Special Communications Service, warned that Russian cybercriminals are using the legitimate SuperOps RMM software program to gain unauthorized access to Ukrainian organizations’ information systems, particularly those in the financial sector.
The Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and CERT-UA recorded and analyzed phishing emails sent to victims with a Dropbox link containing an executable file (.SCR) that was about 33 megabytes in size. The emails were sent from the address “[email protected],” which impersonated a medical center and had the subject line “Personal Web Archive of Medical Documents.”
The .SCR file contained a Python clone of the Minesweeper game along with malicious Python code that downloads additional scripts from a remote source “anotepad.com.” The Minesweeper code contained a function named “create_license_ver” which is repurposed to decode and execute the hidden malicious code.
The legitimate SuperOps RMM program is eventually downloaded and installed from a ZIP file, granting attackers remote access to the victim’s computer.
The CERT-UA found five similar files, named after financial and insurance institutions in Europe and the USA, indicating that these cyberattacks, which took place between February and March 2024, have a wide geographic reach. CERT-UA tracked this threat activity to an actor it identified as UAC-0188.
UAC-0118, also known as FRwL or FromRussiaWithLove, is a Russian state-aligned hacktivist threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily targeted critical infrastructure, media, energy and government entities.
FRwL has been previously linked to the use of the Vidar stealer and Somnia ransomware, which they employ as a data wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.
Possible Defense Against Ongoing Remote Monitoring Campaign
CERT-UA recommends the following:
- Organizations not using SuperOps RMM should verify the absence of network activity associated with the domain names: [.]superops[.]com, [.]superops[.]ai.
- Improve employee cyber hygiene.
- Use and constantly update anti-virus software.
- Regularly update operating systems and software.
- Use strong passwords and change them regularly.
- Back up important data.
Ukrainian Financial Institutions Also on Smokeloader’s Radar
The financially motivated group UAC-0006 has actively launched phishing attacks targeting Ukraine through 2023. CERT-UA reported the resurfacing of UAC-0006 in spring 2024, with hackers attempting to distribute Smokeloader, a common malware in the group’s toolkit. This threat group’s goal has primarily been to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.
SmokeLoader is a malicious bot application and trojan that can evade security measures to infect Windows devices. It can then install other malware, steal sensitive data and damage files, among other issues.
Throughout 2023, UAC-0006 conducted several phishing campaigns against Ukraine, exploiting financial lures and using ZIP and RAR attachments to distribute Smokeloader
CERT-UA last week issued another warning about a significant surge in UAC-0006 activity. Hackers have conducted at least two campaigns to distribute Smokeloader, displaying similar patterns to previous attacks. The latest operations involve emails with ZIP archives containing images that include executable files and Microsoft Access files with macros that execute PowerShell commands to download and run other executable files.
After initial access, the attackers download additional malware, including TALESHOT and RMS. The botnet currently consists of several hundred infected computers.
CERT-UA anticipates an increase in fraudulent operations involving remote banking systems and thus, strongly recommends enhancing the security of accountants’ automated workstations and ensuring the implementation of necessary policies and protection mechanisms to reduce infection risks.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.