Modified PcShare backdoor replaces Windows Narrator to gain full control of systems
Security researchers have discovered a modified version of the open source backdoor PcShare which seems to originate from a Chinese advanced persistent threat (APT) group.
The malware has been used to target technology firms, and it is deployed via side-loading by a legitimate NVIDIA application. As part of the attack, a Trojanized version of Windows' Narrator screen reading tool is used to gain remote access to systems without the need for credentials.
The news comes from researchers at BlackBerry Cylance, and in a blog post the security company explains: "The attackers use a modified version of a Chinese open-source backdoor called PcShare as their main foothold on the victim's machine. The backdoor is specifically tailored to the needs of the campaign, with additional command-and- control (C&C) encryption and proxy bypass functionality, and any unused functionality removed from the code. It arrives with a bespoke loader utilizing DLL sideloading technique.
The Cylance Research and Intelligence Team goes on to say:
After gaining access to the victim's machine, the attackers deploy a range of post-exploitation tools, many of them based on publicly available code often found on Chinese programming portals. One of these tools stood out, a bespoke Trojan that abuses Microsoft Accessibility Features to gain SYSTEM-level access on the compromised machine in a way similar to the infamous "Sticky Keys" attack. In this case, instead of replacing the usual sethc.exe or utilman.exe binaries, the attackers chose to Trojanize the Narrator executable -- a Windows utility that reads aloud the text on the screen and can be invoked on the login screen with a keyboard shortcut. The use of Fake Narrator to gain SYSTEM-level access to the victim’s machine suggests the attackers are interested in maintaining a long-term foothold.
During an attack, the NVIDIA Smart Maximise Helper Host application is used to sideload a malicious version of the NvSmartMax.dll file, which then activates a payload stored in a separate DAT file.
The next stage of the attack is to implant the fake Narrator tool.
[This] binary is designed to replace Narrator.exe, a legitimate screen-reader utility belonging to Windows. Leveraging this attack makes it possible for a remote threat actor to gain unauthenticated access to a command prompt running with system privileges via a remote desktop logon screen. In order to deploy the Trojanized Narrator, the attackers will first have had to obtain administrative privileges in the victim’s system.
This binary is quite novel compared to previous malware that exploits accessibility features in Windows, in that it doesn't attempt to replicate the Narrator user-interface (which is often imitated poorly). Instead, it spawns a copy of the original Narrator.exe and draws a hidden overlapped window, where it waits to capture specific key combinations known only to the attacker. When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify the path to a file to execute.
Whoever created the malware has gone to some lengths to slip under the radar, the researchers say:
The use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main backdoor binary is never dropped to the disk. A simple but effective anti-sandboxing technique of payload-encoding based on execution path is also implemented to avoid detection.
You can read full details of the malware on BlackBerry Cylance's ThreatVector blog.