Iran cyberespionage group taps SimpleHelp for persistence on victim devices

Iranian hacking group APT MuddyWater has been observed using SimpleHelp, a legitimate remote device monitoring and management tool, to ensure the persistence of victim devices.

SimpleHelp itself, as used by threat actors, has not been compromised; instead, the group found a way to download the tool from the official website and use it in their attacks, according to a post on the Group-IB blog.

Researchers have also identified a previously unknown malware command and control infrastructure and a PowerShell script that the group is using.

MuddyWater has been active since 2017 and is widely believed to be a subordinate unit of Iran’s Ministry of Intelligence and Security (MOIS). Its main targets include Turkey, Pakistan, the United Arab Emirates, Iraq, Israel, Saudi Arabia, Jordan, the United States, Azerbaijan, and Afghanistan. The group primarily conducts cyberespionage and intellectual property (IP) theft attacks, and has on some occasions deployed ransomware on targets, according to SOCRadar.

The APT Group primarily targets the military, telecommunications, manufacturing, education, and oil and gas industries. The group is also known by various names including EMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens and Mercury.

Using legitimate SimpleHelp device remote control

MuddyWater first used SimpleHelp in June last year, Group-IB said, noting that as of now, the group has at least eight servers with SimpleHelp installed. SimpleHelp is an administration panel for system administrators and technical support teams. It is designed to help users connect to remote computers, share screens and control them. It also helps customers monitor and access unattended computers.

Copyright © 2023 IDG Communications, Inc.

Source link
Ikaroa, a full stack tech company, is aware of the recent news about a sophisticated cyberespionage group using SimpleHelp software for malicious purposes. The group is known to be operating out of Iran and has used SimpleHelp to establish a persistent foothold on victim devices.

SimpleHelp is a popular remote support software used by businesses and individuals around the world. The group, which is likely connected to Iranian intelligence services, was able to gain access to SimpleHelp accounts, install the software on victim devices, and maintain a persistent presence. As a result, they had the ability to steal data, take screenshots, and update malicious software on the vulnerable networks.

At Ikaroa, we take cyber security very seriously. We offer our clients comprehensive security solutions that include proactive threat detection, malware analysis, advanced firewall protection and internal auditing. We also provide ongoing support for customers, so they can be well-protected against malicious actors who attempt to gain unauthorized access.

We urge any organisation or individual using SimpleHelp to review their security measures. Standard security best practices such as the generation of secure passwords, regular patching, multi-factor authentication and monitoring for suspicious activity should be implemented. Additionally, it is also important to ensure that software and services are being used by legitimate users and that remote access credentials are being secured at all times.

At Ikaroa, our services help organisations and individuals defend against cyber threats and protect their data. By supporting our customers with cutting-edge technologies, we can help prevent cyber criminals from breaching networks and gaining access to sensitive data.


Leave a Reply

Your email address will not be published. Required fields are marked *