Cybercriminals are repurposing legitimate bossware software to blend into corporate networks and deploy ransomware, highlighting the security risks of employee monitoring tools.
Ransomware operators are increasingly turning to legitimate employee monitoring software to hide their malicious activities within corporate networks, according to new research from cybersecurity firm Huntress.
The security team observed two separate incidents in late January and early February where attackers used Net Monitor for Employees Professional, a commercial bossware application, as part of their attack chain before attempting to deploy ransomware.
How the attacks unfolded
In the first incident, attackers gained initial access to a victim's machine (method unknown) and installed Net Monitor for Employees. Once inside, they manipulated user accounts through various Windows commands, attempting to identify valid usernames, reset passwords, and create new administrative accounts.
The attackers then used the software to download SimpleHelp, a remote monitoring and management tool, from an external IP address. They attempted to disable Windows Defender and ultimately tried to deploy multiple versions of Crazy ransomware linked to the VoidCrypt family.
A second incident in early February followed a similar pattern but with additional sophistication. Here, the attacker compromised a third-party SSL VPN account to gain initial access, then connected to a domain controller via remote desktop protocol.
The bossware disguise
What made this attack particularly concerning was how the intruders leveraged Net Monitor's customization features. They disguised the monitoring agent as Microsoft OneDrive by:
- Registering the service as "OneDriveSvc"
- Naming the process "OneDriver.exe"
- Renaming the running binary to "svchost.exe"
This camouflage technique allowed the malicious software to blend in with legitimate Windows processes, making detection significantly more difficult for security teams.
Beyond ransomware: Cryptocurrency theft
In the second attack, the criminals configured SimpleHelp to monitor for specific keywords indicating cryptocurrency wallets, exchanges, blockchain explorers, and payment platforms. This suggests the attackers' financial motivations extended beyond ransomware to direct cryptocurrency theft.
The monitoring tool also tracked keywords related to remote access tools including RDP, AnyDesk, TeamViewer, and VNC, indicating preparation for lateral movement within the network.
Why legitimate tools are attractive to criminals
"RMMs and employee monitoring tools blend in amongst legitimate signed binaries," explained Michael Tigges, senior security operations analyst at Huntress. "This is a rare case of the employee monitoring software being co-opted for subsequent access."
The security team notes that distinguishing between malicious and legitimate use of such tools is "exceedingly difficult" because adversaries understand that these applications are commonly deployed in enterprise environments.
Industry impact and prevention
Both victims came from different industry sectors and appeared to be "targets of opportunity rather than any specifically targeted group," according to Tigges. The shared infrastructure, reuse of filenames, and overlapping IP addresses across both incidents suggest a single attacker or group was responsible.
To defend against such attacks, security analysts recommend:
- Enabling multi-factor authentication (MFA) on all remote access services and external-facing applications
- Limiting remote access to only necessary users and systems
- Conducting regular audits of third-party RMM tools and employee monitoring software
- Monitoring for unusual process execution chains
The incidents highlight the double-edged nature of employee monitoring tools. While they serve legitimate purposes around data loss prevention, their capabilities for remote shell connections and command execution make them attractive targets for repurposing as fully functional remote access trojans.
As Tigges noted, "There are legitimate use cases for employee monitoring software - chiefly around data loss prevention." However, when these tools fall into the wrong hands, they become powerful weapons for cybercriminals seeking to blend into enterprise environments while conducting reconnaissance, delivering additional tooling, and establishing secondary remote access channels.
Comments
Please log in or register to join the discussion