Attacks conducted by a suspected Chinese threat actor on technology companies in Southeast Asia employ a version of the open-source PcShare backdoor, BlackBerry Cylance security researchers warn.
The attackers also used a trojanized screen reader application that replaces the built-in Narrator “Ease of Access” feature in Windows, essentially gaining remote control over the infected systems, all without having to steal the victim’s credentials.
PcShare, a Chinese open-source backdoor, was modified specifically for this campaign, with additional command and control (C&C) encryption and proxy bypass functionality. Furthermore, its operators removed any unused functionality from the code.
The malware is executed on the victim’s machine via DLL side-loading. Specifically, the backdoor is side-loaded by the legitimate NVIDIA Smart Maximise Helper Host application (part of NVIDIA GPU graphics drivers), the security researchers discovered.
Following initial compromise, various post-exploitation tools are deployed, many based on code publicly available on Chinese programming portals. One of these is a Trojan that leverages Microsoft Accessibility Features to gain SYSTEM-level access by trojanizing the Narrator executable.
To avoid detection, the hackers used memory injection so that the main backdoor binary never touches the disk, and also encoded the payload based on execution path. The loader passes configuration as plain text, but the supplied URL is not the real C&C address. Instead, it links to a remote file containing details for C&C communication.
While the threat actor has used the same PcShare payload across attacks on multiple organizations, they often modified the side-loaded DLL per target to update configuration details, including C&C IP addresses and victim identifiers.
The malware sets persistency by adding an entry to the registry and creates mutexes to ensure only one instance of the payload injection routine is running.
Features the backdoor has include different modes of operation (such as SSH & Telnet server, self-update mode, file upload and download modes), traffic compression using a custom LZW algorithm, C&C communication encrypted using the PolarSSL library, and proxy authentication via local user credentials.
Remote administration capabilities in the malware include list, create, rename and delete files and directories; list and kill processes; edit registry keys and values; list and manipulate services; enumerate and control windows; execute binaries; download additional files from the C&C or a provided URL; upload files to the C&C; spawn command line shell; navigate to URLs; display message boxes; and reboot or shut down the system.
The fake Narrator app employed by the threat actor does not attempt to replace the legitimate app, but spawns a copy of it to replicate the Narrator user-interface. The trojanized app is delivered after the attackers manage to gain administrative privileges on the system and provides SYSTEM-level access to the machine.
The fake Narrator app was first introduced four years ago, but the threat actor continues to modify it to ensure it fits victims’ environments, the researchers say. The tool appears to have been used only in a very limited number of attacks.
Based on the use of Chinese open-source projects and the geographical location of the victims, BlackBerry Cylance believes the actor is of Chinese origin.
“As of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” BlackBerry Cylance says.