A popular workforce monitoring tool is being targeted by hackers and used as a foothold for ransomware attacks, according to a new report from cybersecurity firm Huntress.
TL;DR Cybercriminals turned employee monitoring software into a RAT, paired it with SimpleHelp, hunted crypto, and tried to drop Crazy ransomware.
According to the report, the hackers used the employee monitoring software to get into company systems and SimpleHelp to make sure they could stay there even if one access point was shut down. The activity eventually led to an attempted deployment of Crazy ransomware.
“These cases highlight a growing trend of threat actors leveraging legitimate, commercially available software to blend into enterprise environments,” Huntress researchers wrote.
“Net Monitor for Employees Professional, while marketed as a workforce monitoring tool, provides capabilities that rival traditional remote access trojans: reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms. When paired with SimpleHelp as a secondary access channel … the result is a resilient, dual-tool foothold that is difficult to distinguish from legitimate administrative software.”
The software is commonly deployed to track productivity, log activity and capture screenshots of workers’ screens. But its use is controversial, as are claims about whether it truly captures employee productivity or instead assesses based on arbitrary criteria such as mouse clicks or emails sent.
Nevertheless, their popularity makes such tools an attractive vector for attackers. Net Monitor for Employees Professional, developed by NetworkLookout, is marketed for employee productivity tracking but offers capabilities beyond passive screen monitoring, including reverse shell connections, remote desktop control, file management and the ability to customize service and process names during installation.
Those features, designed for legitimate administrative use, can allow threat actors to blend into enterprise environments without deploying traditional malware.
In the first case detailed by Huntress, investigators were alerted by suspicious account manipulation on a host, including efforts to disable the system Guest account and enable the built-in Administrator account. Multiple "net" commands were executed to enumerate users, reset passwords and create additional accounts.
Analysts traced the activity to a binary tied to Net Monitor for Employees, which had spawned a pseudo-terminal application allowing command execution. The tool pulled down a SimpleHelp binary from an external IP address, after which the attacker attempted to tamper with Windows Defender and deploy multiple versions of Crazy ransomware, part of the VoidCrypt family.
In the second intrusion, observed in early February, the attackers gained entry through a compromised vendor’s SSL VPN account and connected via Remote Desktop Protocol to a domain controller. From there, they installed the Net Monitor agent directly from the vendor’s website. The attackers customized service and process names to mimic legitimate Windows components, disguising the service as OneDrive-related and renaming the running process.
Network LookOut, the company behind Net Monitor for Employee, told Decrypt the agent can be installed only by a user who already has administrative privileges on the computer where the agent is to be installed. “Without administrative privileges, installation isn’t possible,” it said via email.
“So, if you don’t want our software installed on a computer, please ensure that administrative access is not granted to unauthorized users, since Administrative access allows installation of any software.”
