Since at least April 2025, we have observed active phishing campaigns targeting multiple vectors, using legitimate remote monitoring and management (RMM) software as a way to establish persistent remote access to compromised hosts.
According to Securonix, the operation, codenamed VENOMOUS#HELPER, has affected more than 80 organizations, most of them in the United States. This overlaps with a cluster previously tracked by Red Canary and Sophos, which named it STAC6405. It is not clear who is behind this campaign, but the cybersecurity firm said it is working with a financial Initial Access Broker (IAB) or a ransomware precursor operation.
“In this case, the customized SimpleHelp and ScreenConnect RMMs were legally installed by the unsuspecting victim and are therefore being used to evade defenses,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with Hacker News.
Aside from the fact that detection can be avoided using legitimate RMM tools, we can see that both SimpleHelp and ScreenConnect deployments attempt to create a “redundant dual channel access architecture” that allows them to continue operating even if one is detected and blocked.
It all starts with a phishing email impersonating the U.S. Social Security Administration (SSA), which instructs recipients to verify their email address and click on a link embedded in the message to download a statement purporting to be from SSA. This link points to a legitimate but compromised Mexican business website (“gruta.com”).[.]mx”), a deliberate strategy to evade email spam filters.
An “SSA statement” is then downloaded from a second attacker-controlled domain (“server.cubatiendaalimentos.com”).[.]mx”) is the executable file responsible for distributing the SimpleHelp RMM tool. The attackers are believed to have accessed a single cPanel user account on a legitimate hosting server to stage the binaries.
As soon as a victim opens a JWrapper-packaged Windows executable thinking it is a document, the malware installs itself as a Windows service with safe mode persistence, verifies that it is running with a “self-healing watchdog” that automatically restarts if it is killed, periodically enumerates registered security products using the root\SecurityCenter2 WMI namespace every 67 seconds, and polls for the presence of a user every 23 seconds.
To facilitate fully interactive desktop access, the SimpleHelp remote access client obtains SeDebugPrivilege via AdjustTokenPrivileges and uses the legitimate executable associated with the software, “elev_win.exe”, to obtain SYSTEM level privileges. This allows operators to read the screen, enter keystrokes, and access user context resources.
This elevated remote access is exploited to download and install ConnectWise ScreenConnect to provide a fallback communication mechanism if the SimpleHelp channel goes down.
“The introduced version of SimpleHelp (5.0.1) provides a comprehensive set of remote management capabilities,” the researchers said. “Victim organizations are left with the ability for attackers to return at any time and silently execute commands on users’ desktop sessions, transfer files bi-directionally, and pivot to adjacent systems, while standard antivirus and signature-based controls only recognize duly signed software from trusted UK vendors.”
Source link
