Phishing Lures Impersonate US Government Agencies
The campaign, tracked as VENOMOUS#HELPER, begins with a phishing email that impersonates the US Social Security Administration. The email prompts recipients to verify their email and download a fake SSA statement. The link in the message first directs victims to a legitimate but compromised Mexican business website to evade spam filters. The payload is then downloaded from a separate attacker controlled domain. The executable file is disguised as a document but actually installs SimpleHelp RMM software.
Dual Channel Remote Access for Persistence
Once installed, the SimpleHelp client (version 5.0.1) registers itself as a Windows service with Safe Mode persistence. It includes a self-healing watchdog that restarts the process if it is killed. The malware monitors for security products every 67 seconds and checks for user activity every 23 seconds. The attacker uses the tool to gain SYSTEM level privileges, enabling full desktop access to read screens and inject keystrokes. They then use this access to install ConnectWise ScreenConnect as a backup communication channel.
Impact and Mitigation
Securonix reports that over 80 organizations, primarily in the United States, have been compromised. The use of legitimate signed software from a reputable vendor allows the activity to bypass standard antivirus detection. The attackers can return at any time, execute commands silently, transfer files, and move laterally across the network. Organizations should restrict the use of RMM tools to authorized personnel and monitor for unexpected installations of SimpleHelp or ScreenConnect.
No specific CVEs were mentioned in the source.
Source: Thehackernews
