Employee monitoring abuse is the latest tactic employed by the notorious Crazy ransomware gang, enabling them to maintain persistence, evade detection, and prepare for devastating ransomware deployments within corporate networks. Researchers at Huntress uncovered a disturbing trend where attackers are leveraging legitimate employee monitoring software, specifically Net Monitor for Employees Professional, alongside the SimpleHelp remote support tool.
The attackers are using these tools to blend in with normal administrative activity, making their malicious actions harder to spot. In one instance, the criminals installed Net Monitor for Employees Professional using the Windows Installer utility, msiexec.exe, deploying the monitoring agent directly from the developer’s site onto compromised systems.
Once installed, the software provided the attackers with full interactive access to compromised systems, allowing them to remotely view desktops, transfer files, and execute commands. The attackers even attempted to enable the local administrator account using the command: net user administrator /active:yes.
The Crazy Ransomware Gang’s Methods
To ensure continued access, the attackers also installed the SimpleHelp remote access client via PowerShell commands, disguising it with filenames similar to the legitimate Visual Studio vshost.exe. In some cases, the SimpleHelp binary was disguised as a OneDrive-related file, such as C:\ProgramData\OneDriveSvc\OneDriveSvc.exe.
The attackers used the monitoring software to execute commands remotely, transfer files, and monitor system activity in real time. They were also observed disabling Windows Defender by attempting to stop and delete associated services.
“The logs show the agent continuously cycling through trigger and reset events for cryptocurrency-related keywords, including wallet services (metamask, exodus, wallet, blockchain), exchanges (binance, bybit, kucoin, bitrue, poloniex, bc.game, noones), blockchain explorers (etherscan, bscscan), and the payment platform payoneer,” explains Huntress.
Detecting Cryptocurrency Theft
In one incident, the hackers configured monitoring rules in SimpleHelp to alert them when devices accessed cryptocurrency wallets or were using remote management tools as they prepared for ransomware deployment and potential cryptocurrency theft. This highlights the sophistication of their methods and their focus on maximizing financial gain.
The use of multiple remote access tools provided redundancy, ensuring that the attackers retained access even if one tool was discovered or removed. While only one incident led to the deployment of Crazy ransomware, Huntress believes the same threat actor is behind both incidents. The employee monitoring abuse tactics are becoming increasingly common.
Mitigation Strategies for Employee Monitoring Abuse
“The same filename (vhost.exe) and overlapping C2 infrastructure were reused across both cases, strongly suggesting a single operator or group behind both intrusions,” explains Huntress. This underscores the need for organizations to be vigilant and proactive in their security measures.
The use of legitimate remote management and monitoring tools has become increasingly common in ransomware intrusions, as these tools allow attackers to blend in with legitimate network traffic. Huntress warns that organizations should closely monitor for unauthorized installations of remote monitoring and support tools. Furthermore, as both breaches were enabled through compromised SSL VPN credentials, organizations need to enforce MFA on all remote access services used to access the network. See related Fraudulents news.
Organizations need to implement strong security practices, including multi-factor authentication (MFA) on all remote access services, regular security audits, and employee training to recognize and report suspicious activity. Continuous monitoring and proactive threat hunting are also essential to detect and respond to potential intrusions before they escalate into full-blown ransomware attacks. The combination of employee monitoring abuse and ransomware is a dangerous trend that requires immediate attention and robust security measures.
Source: BleepingComputer




