Iranian hacking group APT MuddyWater has been observed using SimpleHelp, a legitimate remote device monitoring and management tool, to ensure the persistence of victim devices.
SimpleHelp itself, as used by threat actors, has not been compromised; instead, the group found a way to download the tool from the official website and use it in their attacks, according to a post on the Group-IB blog.
Researchers have also identified a previously unknown malware command and control infrastructure and a PowerShell script that the group is using.
MuddyWater has been active since 2017 and is widely believed to be a subordinate unit of Iran’s Ministry of Intelligence and Security (MOIS). Its main targets include Turkey, Pakistan, the United Arab Emirates, Iraq, Israel, Saudi Arabia, Jordan, the United States, Azerbaijan, and Afghanistan. The group primarily conducts cyberespionage and intellectual property (IP) theft attacks, and has on some occasions deployed ransomware on targets, according to SOCRadar.
The APT Group primarily targets the military, telecommunications, manufacturing, education, and oil and gas industries. The group is also known by various names including EMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens and Mercury.
Using legitimate SimpleHelp device remote control
MuddyWater first used SimpleHelp in June last year, Group-IB said, noting that as of now, the group has at least eight servers with SimpleHelp installed. SimpleHelp is an administration panel for system administrators and technical support teams. It is designed to help users connect to remote computers, share screens and control them. It also helps customers monitor and access unattended computers.
Although the distribution method used by MuddyWater to drop the SimpleHelp samples has yet to be determined, Group-IB researchers believe it is most likely spread via phishing messages with malicious links from mailboxes corporate mail already engaged.
“We can assume that the group sends phishing emails containing links to file storage systems such as Onedrive or Onehub to download SimpleHelp installers,” Group-IB said, adding that the group may also establish persistence on victim devices using Fast Reverse Proxy (FRP) or Ligolo to extract information of interest and determine ways to move around the network.
Gain access to the victims device
Once the victim installs SimpleHelp, the device can run constantly as a system service, allowing access to the victim’s device at any time, even after a reboot.
“In addition to connecting remotely, SimpleHelp operators can run various commands on the victim’s device, including those that require administrator privileges. SimpleHelp operators can also use the command “Connect in terminal mode” to covertly take control of the target device,” Group -IB said.
In January, the cybersecurity firm Eset also detected the MuddyWater group using SimpleHelp for attacks in Egypt and Saudi Arabia. Previously, the MuddyWater group used ScreenConnect, RemoteUtilities, and Syncro to carry out their attacks.
Along with the use of SimpleHelp, the researchers also identified unknown infrastructure operated by the group, as well as a PowerShell script that is capable of receiving commands from a remote server. PowerShell also sends the results to the server.
Earlier this month, Microsoft detected destructive operations enabled by MuddyWater in both on-premises and cloud environments.
“While the threat actors attempted to disguise the activity as a standard ransomware campaign, the unrecoverable actions show that destruction and disruption were the ultimate goals of the operation,” Microsoft said in a blog post.
Previous MuddyWater attacks primarily affected on-premises environments, but in this case, Microsoft also found destruction of cloud resources.
Copyright © 2023 IDG Communications, Inc.
Source link
Ikaroa, a full stack tech company, is aware of the recent news about a sophisticated cyberespionage group using SimpleHelp software for malicious purposes. The group is known to be operating out of Iran and has used SimpleHelp to establish a persistent foothold on victim devices.
SimpleHelp is a popular remote support software used by businesses and individuals around the world. The group, which is likely connected to Iranian intelligence services, was able to gain access to SimpleHelp accounts, install the software on victim devices, and maintain a persistent presence. As a result, they had the ability to steal data, take screenshots, and update malicious software on the vulnerable networks.
At Ikaroa, we take cyber security very seriously. We offer our clients comprehensive security solutions that include proactive threat detection, malware analysis, advanced firewall protection and internal auditing. We also provide ongoing support for customers, so they can be well-protected against malicious actors who attempt to gain unauthorized access.
We urge any organisation or individual using SimpleHelp to review their security measures. Standard security best practices such as the generation of secure passwords, regular patching, multi-factor authentication and monitoring for suspicious activity should be implemented. Additionally, it is also important to ensure that software and services are being used by legitimate users and that remote access credentials are being secured at all times.
At Ikaroa, our services help organisations and individuals defend against cyber threats and protect their data. By supporting our customers with cutting-edge technologies, we can help prevent cyber criminals from breaching networks and gaining access to sensitive data.
