Russian hackers are targeting financial institutions in Europe and the United States with a nostalgia-laden gaming lure.
Two security agencies in Ukraine – CSIRT-NBU, and CERT-UA, hae warned of a new phishing campaign conducted by a threat actor they track as “UAC-0188”. This group is also known as “FRwL”, which is most likely an abbreviation of “From Russia with Love”, a 1963 James Bond film.
The group is sending phishing emails from “support@patient-docs-mail.com,” pretending to be a medical center. The emails come with the subject line “Personal Web Archive of Medical Documents,” and carry a 33 MB attachment, a .SCR file hosted on Dropbox containing code from a Python clone of the famous Minesweeper Windows game. However, the clone also downloads additional scripts from a remote source which, after a few more steps, end up installing SuperOps RMM.
Abusing SuperOps RMM
SuperOps RMM, short for Remote Monitoring and Management, is a software platform designed to assist managed service providers (MSPs) and IT professionals in managing and monitoring client IT infrastructure remotely. It integrates various tools and functionalities to streamline IT operations, enhance security, and improve efficiency.
The tool is legitimate, but often abused, similar to what happened to Cobalt Strike. SuperOps RMM grants the attackers remote access to the compromised systems, which they can then use to deploy more serious malware or infostealers, grabbing login credentials, sensitive data, banking information, and more.
IT admins should monitor their network activity for the presence of SuperOps RMM, and if they don’t usually use the software (or know not to have it installed at all), should treat the activity as a sign of compromise.
There was no word on who the usual targets are, or how many organizations the group managed to compromise.
Via BleepingComputer