An Iranian government-backed threat actor known as MuddyWater has been observed using the legitimate SimpleHelp remote support software tool to bring persistence to victim devices.
A new advisory by Group-IB states that the software used as part of these attacks has not been compromised. Instead, the attackers found a way to download the tool from the official website and use it in their attacks.
“According to our data, MuddyWater first used SimpleHelp on June 30, 2022. At the time of this writing, the group has SimpleHelp installed on at least eight servers,” said Group- IB Senior Threat Analyst Nikita Rostovtsev explains:
Read more about MuddyWater: CISA Issues MuddyWater Alert
A SimpleHelp client installed on a victim’s device could always run as a system service, giving the attacker access to the user’s device at any time, including after a reboot.
“In addition to connecting remotely, SimpleHelp operators can execute various commands on the victim’s device, including those that require administrator privileges,” Rostovtsev said. “The SimpleHelp operator[ターミナル モードで接続]Commands can also be used to covertly control the target device. “
Group-IB clarified that the initial infection method is currently unknown, but the team suspects it may be phishing.
We can surmise that this group sends phishing emails containing links to file storage systems such as Onedrive or Onehub to download the SimpleHelp installer.
Rostovtsev also explained that during MuddyWater’s latest analysis, Group-IB discovered previously unknown infrastructure and several known IP addresses used by the attackers.
“Information security professionals can use the ETag hashes mentioned in this article and search for malicious servers using search engines such as Censys and Shodan,” the security expert explained. .
Additionally, enterprises should use corporate email security tools to prevent various threat groups from using email as an attack vector.
