"Iranian Hackers Using SimpleHelp Remote Support Software for Persistent Access"

MuddyWater, an Iranian threat actor, continues its time-tested practice of using legitimate remote administration tools to seize control of targeted systems. While the nation-state group previously used ScreenConnect, RemoteUtilities, and Syncro, a new Group-IB analysis found the adversary's use of the SimpleHelp remote support software. Since at least 2017, MuddyWater has been believed to be a subordinate element of Iran's Ministry of Intelligence and Security (MOIS). Turkey, Pakistan, the United Arab Emirates, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan are among the main targets. Nikita Rostovtsev, senior threat analyst at Group-IB, stated that MuddyWater uses the legitimate remote device control and management tool SimpleHelp to guarantee persistence on victim devices. SimpleHelp has not been compromised and is used as designed. The threat actors discovered a method for downloading the tool from the official website and deploying it in their attacks. The exact method used to distribute the SimpleHelp samples is currently unknown. However, the group is known to send spear-phishing emails containing malicious links from already compromised corporate email accounts. This article continues to discuss the use of SimpleHelp by MuddyWater. 

THN reports "Iranian Hackers Using SimpleHelp Remote Support Software for Persistent Access"