CERT-UA warns of cyberattacks via remote access program

0
137
CERT-UA warns of cyberattacks via remote access program

The Governmental Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Special Communications Service, warns about the activities of cybercriminals who use a legitimate program to remotely control SuperOps RMM computers in order to gain unauthorized access to the information systems of Ukrainian organizations.

How the attack works

The joint efforts of the National Bank of Ukraine’s Cyber Defense Center and CERT-UA detected and analyzed cyberattacks that sent victims emails with a link to Dropbox containing an executable file (.SCR) of about 33 MB.

The file was created using PyInstaller and contains, among other things, legitimate Python code of the game “Minesweeper” and a base64-encoded string of 28MB.

At the same time, the rest of the program code downloads (from the anotepad.com service), decodes (base64) and executes the Python code. The prerogative of the downloaded Python code is to call the “create_license_ver” function from Sapper, the argument of which is a combination of a base64-coded string from the downloaded script and a 28MB base64 string contained in the original SCR file.

Subsequently, as a result of string concatenation and decoding, a ZIP archive will be obtained, from which, using a statically specified password, an MSI file representing a legitimate SuperOps RMM program will be extracted and executed. Running this program on a computer will provide third parties with unauthorized remote access to the computer.

CERT-UA conducted additional research and found five similar files with the names of financial and insurance institutions in Europe and the United States. This indicates that such cyberattacks have been carried out since February – March 2024 and have a fairly wide geography. The described cluster of cyber threats is tracked by the identifier UAC-0188.

Як відбувається атака

Recommendations of CERT-UA

  • Organizations that do not use the SuperOps RMM product are advised to ensure that there is no network activity associated with the following domain names: .superops.com, .superops.ai.
  • Take steps to improve employee cyber hygiene.
  • Use and keep up-to-date anti-virus software.
  • Keep your operating systems and software up to date.
  • Use strong passwords and change them regularly.
  • Back up your important data.

LEAVE A REPLY

Please enter your comment!
Please enter your name here