An open-source backdoor is being used to help establish a foothold in infected machines, and a weaponised text-to-speech application lets attackers gain SYSTEM-level access.
BlackBerry Cylance’s research and intelligence team said in a 25 September blog post that attackers behind the two-year-old campaign are using the malicious tools to conduct a reconnaissance operation, the mission of which is to exfiltrate sensitive data from targets and move laterally through the their systems.
The researchers also said that the threat actor has exhibited behaviour that is in keeping with suspected Chinese APT group Tropic Trooper, which is known to target heavy industry companies in Taiwan and the Philippines and has used the same backdoor in other campaigns. However, open-source malware is accessible to virtually anyone, and attribution has not been confirmed.
The backdoor is a modified version of a Chinese remote access trojan called PcShare. The malicious binary features command-and-control encryption and proxy bypass capabilities, and is delivered via a customised downloader via sideloading by the legitimate "NVIDIA Smart Maximise Helper Host" application – part of NVIDIA’s GPU graphics driver. The loader injects the main payload into memory, while leaving the disk itself untouched.
"The use of DLL side-loading technique together with a bespoke loader utilising memory injection ensures that the main backdoor binary is never dropped to the disk," explains Cylance in the blog post. To bolster its chances of avoiding detection, the loader also performs anti-sandboxing by encoding the payload based on execution path.
In another sneaky manoeuvre, the loader’s configuration contains a plain-text URL, except that’s not really the C&C address. Instead, the URL hosts a remote file that contains the actual C&C details. "This allows the attackers to easily change the preferred C&C address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times," explains Cylance.
The actual PcShare Backdoor program is a PE DLL file still retains certain functionality from the original PcShare RAT, with other capabilities stripped out. In addition to its aforementioned C&C encryption and proxy bypass capabilities, it also can perform some remote administration tasks, including the creation and deletion of files and directories; listing processes and services; executing binaries, downloading and uploading files and more.
Once PcShare is installed, the attackers can then further compromise their victims through a number of post-exploitation tools. Chief among them is Fake Narrator, a weaponised screen reader application that abuses Microsoft Accessibility Features and allows attackers with admin privileges to gain SYSTEM-level access.
Fake Narrator essentially replaces the legitimate Narrator.exe, an accessibility program, found in Windows’ Ease of Access Center, that helps users with poor vision by reading aloud the text on their screens.
Fake narrator "spawns a copy of the original Narrator.exe and draws a hidden overlapped window, where it waits to capture specific key combinations known only to the attacker," the blog post said. "When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify" a command or the path to a file to execute.
"Once the Fake Narrator is enabled at the logon screen via ‘Ease of Access,’ the malware will be executed by winlogon.exe with SYSTEM privileges. Typing the attacker’s defined password will allow the attacker to spawn any executable, also running under the SYSTEM account, at the logon screen," Cylance reported. "This technique ultimately allows a malicious actor to maintain a persistent shell on a system without requiring valid credentials."
A study of Fake Narrator samples indicate that the malware is more than four years old and still undergoing modifications, despite being used sparingly by the attackers.
First published on SC US.