EXECUTIVE SUMMARY
A sophisticated cyber attack aimed at Ukrainian organizations has been identified, involving the use of the legitimate SuperOps RMM program for unauthorized remote computer access. This campaign, tracked under the identifier UAC-0188, has shown a broader impact, targeting financial and insurance institutions across Europe and the USA. The attack mechanism involves deceptive email tactics and the exploitation of legitimate software, highlighting the growing threat of supply chain attacks in cybersecurity.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A sophisticated cyber attack aimed at Ukrainian organizations has been identified, involving the use of the legitimate SuperOps RMM program for unauthorized remote computer access. This campaign, tracked under the identifier UAC-0188, has shown a broader impact, targeting financial and insurance institutions across Europe and the USA. The attack mechanism involves deceptive email tactics and the exploitation of legitimate software, highlighting the growing threat of supply chain attacks in cybersecurity.[emaillocker id="1283"]
The attack begins with the victim receiving an email containing a link to a Dropbox file. The file, an executable (.SCR) around 33MB in size, is crafted using PyInstaller and includes the legitimate Python code of the Minesweeper game alongside a substantial 28MB base64-encoded string. Upon execution, part of the software downloads additional Python code from the anotepad.com service, which is then decoded and executed. This code calls the "create_license_ver" function from the embedded Saper module, utilizing the concatenated base64 string from the initial SCR file and the downloaded script. The resulting string, once decoded, produces a ZIP archive containing an MSI file. This MSI file, extracted using a static password, installs the legitimate SuperOps RMM program, thereby granting unauthorized remote access to the attackers.
Organizations that do not use the SuperOps RMM product are advised to monitor and verify the absence of network activity associated with the domain names *.superops.com and *.superops.ai. The widespread nature of this attack underscores the necessity for heightened vigilance and robust security measures. By understanding the methods employed in this campaign, organizations can better protect themselves against similar threats and mitigate potential risks.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| T1059 | Command and Scripting Interpreter | |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| T1218 | System Binary Proxy Execution | |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| Command and Control | T1105 | Ingress Tool Transfer |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]