Rogue Virtual Machines Used for Detection Evasion in Recent MITRE Cyberattack – Active IOCs
May 27, 2024Bitter APT Group – Active IOCs
May 27, 2024Rogue Virtual Machines Used for Detection Evasion in Recent MITRE Cyberattack – Active IOCs
May 27, 2024Bitter APT Group – Active IOCs
May 27, 2024Severity
High
Analysis Summary
Threat actors are using malicious scripts hidden in code from a Python clone of Microsoft's classic Minesweeper game to target financial institutions in the US and Europe.
Researchers identify the attacker as 'UAC-0188,' a threat actor who uses the bogus code to conceal Python scripts that download and install the SuperOps RMM. With the help of SuperOps RMM, a reliable remote management tool, remote actors can gain direct access to compromised systems. At least five possible breaches by the same files in financial and insurance institutions across Europe and the US were discovered at the time of the attack's initial disclosure.
The email that starts the attack looks like it comes from a medical facility and has the subject "Personal Web Archive of Medical Documents". The receiver is directed to the Dropbox link provided to download a 33 MB .SCR file. Innocuous code from a Python Minesweeper clone and malicious Python code that downloads further scripts from a remote site are both present in this file.
To make the 28MB base64-encoded string containing the malicious code appear benign to security tools, the executable's Minesweeper code is included as a cover for it. Furthermore, a method called "create_license_ver" is repurposed in the Minesweeper code to decode and execute the malicious code that is disguised. As a result, legitimate software components are utilized to facilitate and mask the cyberattack.
After the Base64 text is decoded, a ZIP file containing the SuperOps RMM MSI installer is assembled. This file is then extracted and run using a static password. In this instance, SuperOps RMM is utilized to give the attackers illegal access to the victim's computer, despite being a valid remote access program. Researchers warn that companies not utilizing the SuperOps RMM software should consider any mention of it or associated network activity—such as requests to the "superops.com" or "superops.ai" domains—as evidence of potential compromise.
Impact
- Unauthorized Access
- Security Bypass
- Code Execution
- Financial Loss
Indicators of Compromise
Domain Name
- yemmyusa.com
MD5
- a46317e7c238be03b317840d7c0e3636
- d2caf4d50fdf083cda1a5f781e4f1bdf
- a027d7045c669e365d0ef01768223329
- 3c74cf1cc59462e98cfec647d42c5dca
- 1c5d4add00c4170283d4d4f338ac8871
- 70d376d638868eefb81ffdc480744bf1
- 8181331b4ae052d895aa91e06b938dc3
- a3a28d0e8b567a2f485d7e3dce2e8fd4
- 8cb4012458d390b9a2866278473c696b
SHA-256
- 10a6c318be4f1a2f56eedd855e7e5fd4a883a17022b933cd58fa73c184363019
- dee0e820c2582badd477ccfbe197d6a5803b86b0c1b25503449d9691b6f6166a
- 46337cb1cc51378858d5e47713b450c063f994c7909fcb010053a70cb9a592fe
- 690ce2375759e1c31998011265d31c063615413495cf3596beffe3c11dbaaf06
- 5a223bf043e552e85f8fe91693221c34aafdfd2b3867e733f756f288a38410a1
- 1cb846e9cf851247ea3955f7c3a310bd87209eff37a031c0c072f1f05bd5c38b
- 8519569df6b704ff4c1070929395b40933dee93604d087072edbaa3a107491d5
- d60bc54742e1e4f49b2ae74080ef293150f38d7e6e624008ef53a7a8dc30d42a
- 08d39909da1a5b36350493982cf05771445b7f63f11007642fd450cee07b7cde
SHA1
- a8034e04dc5d634a95f5c45ec7f74c504424f268
- 6e4617be9e2d438034b447c9dff7bc72777301b1
- 4f77e44c8c914aba14d79ad9dd784582cbfa164c
- 29658710fa69527d3e6c8b7bd4e46bdd6b0b9098
- 1c9e811dc825c3976a0d64d29851f115f0cc32fe
- 1d06611917fc06cac4a1af1ade45f9dc77542660
- c106edf4d05d04f968b855bce015697461cfd998
- 8345d13c5260b9af54e3ff5f0375054bbda3db90
- 44dbca71ef8ec89ff138d30566e86acbba33d4f5
URL
- https://anotepad.com/notes/2d94hf6q
- https://anotepad.com/notes/2st44b98
- https://anotepad.com/notes/4qrjbatw
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Be vigilant when downloading software and double-check the URL to see if it is legitimate.
- Never download software from untrusted sources.
- Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
- Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Keep your operating system and apps up-to-date with the latest security patches and updates.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
- Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.