Hackers who are believed to be operating from China have been targeting Southeast Asian tech companies with an open-source backdoor that helps establish a foothold in infected machines, and a weaponized text-to-speech application that lets attackers gain SYSTEM-level access. A new campaign takes advantage of the Windows Narrator app, a screen reader in Microsoft Windows, which is designed to improve the accessibility of machines for those with low levels of vision.
According to BlackBerry Cylance researchers, the attackers are able to gain full control over the host machine by replacing the original app on targeted hosts (which runs with system privileges) with a malicious version. An initial foothold into victims’ systems is achieved with the help of modified version of the open-source PcShare backdoor, specifically tailored to the needs of the campaign. Using these two tools the hackers can surreptitiously control systems via remote desktop logon screens, without the need for credentials.
The sophisticated campaign involves multiple stages. In the first stage, the attackers deliver the PcShare backdoor to victims via spearphishing campaigns. This modified backdoor is designed to operate when side-loaded by a legitimate NVIDIA application. Interestingly, it arrives with a bespoke loader that uses the abovementioned DLL sideloading technique.
“The DLL is side-loaded by the legitimate “NVIDIA Smart Maximise Helper Host” application (part of NVIDIA GPU graphics driver) instead of the original NvSmartMax.dll that the program normally uses. Its main responsibility is to decrypt and load the encoded payload stored either in its .data section, or in a separate DAT file,” the researchers said.
The PcShare’s use of the legitimate application allows the attackers to achieve additional layer of stealthiness to avoid detection.
“The use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main backdoor binary is never dropped to the disk. A simple but effective anti-sandboxing technique of payload encoding based on execution path is also implemented to avoid detection,” the threat research team explained.
Additionally, the command and control infrastructure is also obfuscated. While the configuration supplied by the loader is passed as plain text, the URL it contains is not the real C&C address instead pointing to a remote file that contains the actual details on how to communicate with C&C server.
Once PcShare is installed, the attackers can then further compromise their victims using a number of post-exploitation tools, namely Fake Narrator, a weaponized screen reader application that abuses Microsoft Accessibility Features and allows attackers with admin privileges to gain SYSTEM-level access. Upon execution, the trojanized fake Narrator will first run the original legitimate Narrator, then register a window class (“NARRATOR”) and create a window (“Narrator”).
“The window procedure creates a dialog with an edit control and a button called “r”, while a separate thread constantly monitors keyboard strokes. If the malware detects that a specific password has been typed (hardcoded in the binary as "showmememe" string), it will display the previously created dialog. This will allow the attacker to specify the command, or the path to a file to execute via an edit control,” the report explains.
Once the Fake Narrator is enabled at the logon screen via “Ease of Access”, the malware will be executed by winlogon.exe with SYSTEM privileges. Typing the attacker’s defined password will allow the attacker to spawn any executable, also running under the SYSTEM account, at the logon screen. This technique, the researchers said, ultimately allows a threat actor to maintain a persistent shell on a system without the need for valid credentials.
As for the operators behind this campaign, precise attribution of these attacks has proven elusive, although the experts noticed some similarities with previous campaigns conducted by a group named Tropic Trooper.
“The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” the researchers added.