Russian hackers have been discovered utilizing legitimate remote monitoring and management software to conduct surveillance on Ukraine and its allies. This malicious activity involves hiding scripts needed to download and run the RMM program within the authentic Python code of the “Minesweeper” game from Microsoft.
The Government Computer Emergency Response Team of Ukraine (CERT-UA), operating under the State Special Communications Service, issued a warning regarding Russian cybercriminals exploiting the legitimate SuperOps RMM software to gain unauthorized access to Ukrainian organizations’ information systems, particularly those in the financial sector. This method involves sending phishing emails with a Dropbox link containing an executable file (.SCR) disguised as a medical document archive, ultimately leading to the installation of the SuperOps RMM program on the victim’s computer.
In their investigation, the Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and CERT-UA identified phishing emails originating from an address impersonating a medical center, containing a link to the malicious .SCR file. This file, when executed, downloads additional scripts from a remote source and ultimately installs the SuperOps RMM program, providing attackers with remote access to the compromised computer system.
Further examination by CERT-UA revealed five similar files named after financial and insurance institutions across Europe and the USA, indicating a broad geographic scope for these cyberattacks that occurred between February and March 2024. These attacks were attributed to a threat actor identified as UAC-0188, also known as FRwL or FromRussiaWithLove, a Russian state-aligned hacktivist group that emerged during the Russia-Ukraine conflict in 2022.
The FRwL group has previously been associated with the use of the Vidar stealer and Somnia ransomware for data wiping purposes and has targeted critical infrastructure, media, energy, and government entities. While direct links to the Russian Main Intelligence Directorate are not confirmed, there is a possibility of coordination between FRwL and state-aligned hacktivist groups.
In response to these ongoing remote monitoring campaigns, CERT-UA recommends organizations to conduct network activity checks for specific domain names associated with the SuperOps RMM software, improve cybersecurity practices, employ and update anti-virus software, regularly update systems and software, use strong passwords, and maintain data backups.
Ukrainian financial institutions are also facing threats from the financially motivated group UAC-0006, which has been actively engaged in phishing attacks targeting Ukraine. CERT-UA reported the resurgence of UAC-0006 in spring 2024, attempting to distribute Smokeloader malware, a common tool in the group’s arsenal focused on stealing credentials and executing unauthorized fund transfers.
Smokeloader is a malicious bot application and trojan that evades security measures to infect Windows devices, enabling the installation of additional malware, data theft, and file corruption. The recent surge in UAC-0006 activity includes phishing campaigns using various tactics to deliver malware, ultimately leading to compromised systems and the propagation of additional threats like TALESHOT and RMS.
CERT-UA emphasizes the need for enhanced security measures in financial organizations to combat fraudulent operations involving remote banking systems. Recommendations include strengthening the security of automated workstations, implementing necessary policies and protection mechanisms, and mitigating infection risks to safeguard against ongoing cyber threats.
As the cybersecurity landscape continues to evolve with sophisticated threats, organizations must remain vigilant, update their defenses, and adhere to best practices to protect against malicious actors and safeguard sensitive data and systems.