Connect with us

Hi, what are you looking for?



Chinese Hackers Hit Technology Firms in Southeast Asia With PcShare Backdoor

Attacks conducted by a suspected Chinese threat actor on technology companies in Southeast Asia employ a version of the open-source PcShare backdoor, BlackBerry Cylance security researchers warn.

Attacks conducted by a suspected Chinese threat actor on technology companies in Southeast Asia employ a version of the open-source PcShare backdoor, BlackBerry Cylance security researchers warn.

The attackers also used a trojanized screen reader application that replaces the built-in Narrator “Ease of Access” feature in Windows, essentially gaining remote control over the infected systems, all without having to steal the victim’s credentials.

PcShare, a Chinese open-source backdoor, was modified specifically for this campaign, with additional command and control (C&C) encryption and proxy bypass functionality. Furthermore, its operators removed any unused functionality from the code.

The malware is executed on the victim’s machine via DLL side-loading. Specifically, the backdoor is side-loaded by the legitimate NVIDIA Smart Maximise Helper Host application (part of NVIDIA GPU graphics drivers), the security researchers discovered.

Following initial compromise, various post-exploitation tools are deployed, many based on code publicly available on Chinese programming portals. One of these is a Trojan that leverages Microsoft Accessibility Features to gain SYSTEM-level access by trojanizing the Narrator executable.

To avoid detection, the hackers used memory injection so that the main backdoor binary never touches the disk, and also encoded the payload based on execution path. The loader passes configuration as plain text, but the supplied URL is not the real C&C address. Instead, it links to a remote file containing details for C&C communication.

While the threat actor has used the same PcShare payload across attacks on multiple organizations, they often modified the side-loaded DLL per target to update configuration details, including C&C IP addresses and victim identifiers.

The malware sets persistency by adding an entry to the registry and creates mutexes to ensure only one instance of the payload injection routine is running.

Advertisement. Scroll to continue reading.

Features the backdoor has include different modes of operation (such as SSH & Telnet server, self-update mode, file upload and download modes), traffic compression using a custom LZW algorithm, C&C communication encrypted using the PolarSSL library, and proxy authentication via local user credentials.

Remote administration capabilities in the malware include list, create, rename and delete files and directories; list and kill processes; edit registry keys and values; list and manipulate services; enumerate and control windows; execute binaries; download additional files from the C&C or a provided URL; upload files to the C&C; spawn command line shell; navigate to URLs; display message boxes; and reboot or shut down the system.

The fake Narrator app employed by the threat actor does not attempt to replace the legitimate app, but spawns a copy of it to replicate the Narrator user-interface. The trojanized app is delivered after the attackers manage to gain administrative privileges on the system and provides SYSTEM-level access to the machine.

The fake Narrator app was first introduced four years ago, but the threat actor continues to modify it to ensure it fits victims’ environments, the researchers say. The tool appears to have been used only in a very limited number of attacks.

Based on the use of Chinese open-source projects and the geographical location of the victims, BlackBerry Cylance believes the actor is of Chinese origin.

“As of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” BlackBerry Cylance says.

Related: KeyBoy Abuses Popular Office Exploits for Malware Delivery

Related: Cyberspies Target Taiwan Government, Energy Sector

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.