Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Hit Technology Firms in Southeast Asia With PcShare Backdoor

Attacks conducted by a suspected Chinese threat actor on technology companies in Southeast Asia employ a version of the open-source PcShare backdoor, BlackBerry Cylance security researchers warn.

Attacks conducted by a suspected Chinese threat actor on technology companies in Southeast Asia employ a version of the open-source PcShare backdoor, BlackBerry Cylance security researchers warn.

The attackers also used a trojanized screen reader application that replaces the built-in Narrator “Ease of Access” feature in Windows, essentially gaining remote control over the infected systems, all without having to steal the victim’s credentials.

PcShare, a Chinese open-source backdoor, was modified specifically for this campaign, with additional command and control (C&C) encryption and proxy bypass functionality. Furthermore, its operators removed any unused functionality from the code.

The malware is executed on the victim’s machine via DLL side-loading. Specifically, the backdoor is side-loaded by the legitimate NVIDIA Smart Maximise Helper Host application (part of NVIDIA GPU graphics drivers), the security researchers discovered.

Following initial compromise, various post-exploitation tools are deployed, many based on code publicly available on Chinese programming portals. One of these is a Trojan that leverages Microsoft Accessibility Features to gain SYSTEM-level access by trojanizing the Narrator executable.

To avoid detection, the hackers used memory injection so that the main backdoor binary never touches the disk, and also encoded the payload based on execution path. The loader passes configuration as plain text, but the supplied URL is not the real C&C address. Instead, it links to a remote file containing details for C&C communication.

While the threat actor has used the same PcShare payload across attacks on multiple organizations, they often modified the side-loaded DLL per target to update configuration details, including C&C IP addresses and victim identifiers.

The malware sets persistency by adding an entry to the registry and creates mutexes to ensure only one instance of the payload injection routine is running.

Features the backdoor has include different modes of operation (such as SSH & Telnet server, self-update mode, file upload and download modes), traffic compression using a custom LZW algorithm, C&C communication encrypted using the PolarSSL library, and proxy authentication via local user credentials.

Remote administration capabilities in the malware include list, create, rename and delete files and directories; list and kill processes; edit registry keys and values; list and manipulate services; enumerate and control windows; execute binaries; download additional files from the C&C or a provided URL; upload files to the C&C; spawn command line shell; navigate to URLs; display message boxes; and reboot or shut down the system.

The fake Narrator app employed by the threat actor does not attempt to replace the legitimate app, but spawns a copy of it to replicate the Narrator user-interface. The trojanized app is delivered after the attackers manage to gain administrative privileges on the system and provides SYSTEM-level access to the machine.

The fake Narrator app was first introduced four years ago, but the threat actor continues to modify it to ensure it fits victims’ environments, the researchers say. The tool appears to have been used only in a very limited number of attacks.

Based on the use of Chinese open-source projects and the geographical location of the victims, BlackBerry Cylance believes the actor is of Chinese origin.

“As of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” BlackBerry Cylance says.

Related: KeyBoy Abuses Popular Office Exploits for Malware Delivery

Related: Cyberspies Target Taiwan Government, Energy Sector

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.