Iran cyberespionage group taps SimpleHelp for persistence on victim devices

Iranian APT hacking group MuddyWater has been observed using SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices. 

SimpleHelp itself, as used by the threat actors, has not been compromised — instead, the group has found a way to download the tool from the official website and use it in their attacks, according to a Group-IB blog post.

The researchers have also identified a previously unknown malware command and control infrastructure and a PowerShell script that the group is using. 

MuddyWater has been active since 2017 and is generally believed to be a subordinate unit within Iran’s Ministry of Intelligence and Security (MOIS). Its top targets include Turkey, Pakistan, the UAE, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan.  The group primarily conducts cyberespionage activities and intellectual property (IP) theft attacks, and on some occasions, they have deployed ransomware on targets, according to SOCRadar.

The APT group mainly targets the military, telecommunications, manufacturing, education, and oil and gas industries. The group is also known by various names including EMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens, and Mercury.

Use of legitimate SimpleHelp remote device control

MuddyWater first used SimpleHelp in June last year, Group-IB said, noting that as of now, the group has at least eight servers on which they have SimpleHelp installed. SimpleHelp is an administration panel for system administrators and tech support teams. It is designed to help users connect to remote computers, share screens and control them. It also helps customers monitor and access unattended computers. 

While the distribution method used by MuddyWater to drop the SimpleHelp samples has not yet been determined, Group-IB researchers believe it is most likely to be spread using spear-phishing messages bearing malicious links from already compromised corporate mailboxes.

“We can assume that the group sends out phishing emails containing links to file storage systems such as Onedrive or Onehub to download SimpleHelp installers,” Group-IB said, adding that the group can also establish persistence on victim devices by using Fast Reverse Proxy (FRP) or Ligolo to extract information of interest and determine ways to move across the network. 

Gaining access to victims’ device

Once the victim installs SimpleHelp the device can constantly run as a system service, which makes it possible to gain access to the victim’s device at any point in time, even after a reboot.

“In addition to connecting remotely, SimpleHelp operators can execute various commands on the victim’s device, including those that require administrator privileges. SimpleHelp operators can also use the command ‘Connect in Terminal Mode’ to take control of the target device covertly,” Group -IB said. 

In January, cybersecurity firm Eset also detected the  MuddyWater group using SimpleHelp for attacks in Egypt and Saudi Arabia. Previously, the MuddyWater group used ScreenConnect, RemoteUtilities, and Syncro to carry out its attacks. 

Along with the use of SimpleHelp, researchers also identified an unknown infrastructure operated by the group as well as a PowerShell script that’s capable of receiving commands from a remote server. The PowerShell also sends the results back to the server.

Earlier this month, Microsoft detected destructive operations enabled by MuddyWater in both on-premises and cloud environments.

“While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation,” Microsoft said in a blog.

Previous attacks by MuddyWater mainly impacted on-premises environments, however, in this case, Microsoft found the destruction of cloud resources as well.