New MuddyWater attacks involve SimpleHelp remote admin tool

Iranian state-sponsored threat operation MuddyWater has been using SimpleHelp remote support software to ensure persistence in devices that have been compromised in attacks since June 2022, according to The Hacker News. While no exact approach for SimpleHelp distribution has been detailed, spear-phishing messages have been commonly leveraged by MuddyWater to facilitate its intrusions, a report from Group-IB showed. "SimpleHelp is not compromised and is used as intended. The threat actors found a way to download the tool from the official website and use it in their attacks," said Group-IB. Aside from leveraging SimpleHelp, MuddyWater was also discovered to have additional attack infrastructure, as well as a PowerShell script with remote command receipt capabilities. MuddyWater was previously reported by ESET to have used SimpleHelp to facilitate the distribution of the MKL64 credential stealer and the Ligolo reverse tunneling tool. Microsoft also recently noted the threat group's hybrid attacks that have been disguised to resemble a ransomware operation.