Cyber: Crazy Ransomware Gang Abuses Employee Monitoring Tool In Attacks

A member of the Crazy ransomware gang is abusing legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment.

The breaches were observed by researchers at Huntress, who investigated multiple incidents where threat actors deployed Net Monitor for Employees Professional alongside SimpleHelp for remote access to a breached network, while blending in with normal administrative activity.

In one intrusion, attackers installed Net Monitor for Employees Professional using the Windows Installer utility, msiexec.exe, allowing them to deploy the monitoring agent on compromised systems directly from the developer's site.

Once installed, the tool allowed attackers to remotely view the victim's desktop, transfer files, and execute commands, effectively providing full interactive access to compromised systems.

The attackers also attempted to enable the local administrator account using this command:

For redundant persistence, attackers downloaded and installed the SimpleHelp remote access client via PowerShell commands, using file names similar to the legitimate Visual Studio vshost.exe.

The payload was then executed, allowing attackers to maintain remote access even if the employee monitoring tool was removed.

The SimpleHelp binary was sometimes disguised using filenames that pretended to be related to OneDrive:

The attackers used the monitoring software to execute commands remotely, transfer files, and monitor system activity in real time.

Researchers also observed the attackers disabling Windows Defender by attempting to stop and delete associated services.

Source: BleepingComputer