The Iranian government-sponsored threat actor known as MuddyWater has been observed using the legitimate SimpleHelp remote support software tool to achieve persistence on victim devices.
According to a new advisory by Group-IB, the software used as part of these attacks is not compromised. Instead, the threat actors found a way to download the tool from the official website and use it in their attacks.
“According to our data, MuddyWater used SimpleHelp for the first time on June 30 2022. At the time of writing, the group has at least eight servers on which they have SimpleHelp installed,” explained Group-IB senior threat analyst Nikita Rostovtsev.
Read more on MuddyWater: CISA Issues MuddyWater Warning
The SimpleHelp client installed on victim devices can be run constantly as a system service, enabling attackers to access the user’s device at any point, including after a reboot.
“In addition to connecting remotely, SimpleHelp operators can execute various commands on the victim’s device, including those that require administrator privileges,” Rostovtsev said. “SimpleHelp operators can also use the command ‘Connect in Terminal Mode’ to take control of the target device covertly.”
Group-IB clarified that the initial infection method is currently unknown, but the team suspects it may be phishing.
“We can assume that the group sends out phishing emails containing links to file storage systems such as Onedrive or Onehub to download SimpleHelp installers,” reads the advisory.
Rostovtsev also explained that, during the latest analysis of MuddyWater, Group-IB discovered previously unknown infrastructure and some publicly known IP addresses used by the attackers.
“Information security specialists can use the ETag hashes mentioned in this article and search for malicious servers using search engines such as Censys or Shodan,” the security expert explained.
Further, companies should use corporate email security tools to prevent various threat groups from using email as an attack vector.