Malware operators abuse Windows Narrator software in Asian attack wave

The threat group is able to remotely control vulnerable systems without credentials.
Written by Charlie Osborne, Contributing Writer

A new wave of attacks conducted by a suspected Chinese advanced persistent threat (APT) group is replacing Windows Narrator with a malicious variant for remote, persistent access. 

BlackBerry Cylance researchers said on Wednesday that the campaign is focused on infiltrating systems belonging to technology companies based in Southeast Asia.

An interesting tactic employed by these threat actors is the replacement of the Narrator "Ease of Access" feature in Microsoft Windows machines. 

Narrator is a screen-reading application, built into Windows 10, which is designed to improve the accessibility of machines for those with low levels of vision. The software replaces the mouse with voice technology and is compatible with braille displays. 

A modified version of a Chinese open-source backdoor, named PcShare and available on GitHub, is used to sink the attacker's claws into a machine. This backdoor is streamlined for the campaign at hand; with tailored command-and-control (C2) servers, encryption, and proxy bypass functionality, and "any unused functionality removed from the code," according to BlackBerry Cylance.

See also: Political targets at risk as Fancy Bear returns with refreshed backdoor malware

The backdoor's loader makes use of DLL sideloading, as well as a memory injection -- a technique employed to prevent the main backdoor binary from being dropped to disk and potentially discovered through traditional antivirus software. 

The DLL is side-loaded with assistance from the legitimate "Nvidia Smart Maximise Helper Host" application that is part of the Nvidia GPU graphics driver. 

In addition, payloads are encoded based on their execution paths, an anti-sandboxing method the researchers call "simple but effective." Misdirection tactics are also employed to hide the C2 infrastructure. 

The Trojan is able to remotely control an infected machine, create, rename, and delete both files and directories; list and kill processes; edit registry keys and values; execute binaries, spawn command-line shells, and can also communicate with its C2 to drop additional payloads or transfer stolen files. 

Once access is gained to a victim system, a bespoke, malicious utility will target Narrator.exe to gain SYSTEM-level permissions via the winlogon command, which also allows the attackers to spawn any executable. 

CNET: Hackers set up a fake veteran-hiring website to infect victims with malware

The Fake Narrator utility, the malicious replacement for the accessibility tool, can then launch with a hidden window that waits for hardcoded key combinations known only by the APT. When these passphrases are input, the window will reveal itself and allow the attackers to specify the path to any file they wish to execute.

"The aim of the attackers is persistent exfiltration of sensitive data, as well as local network reconnaissance and lateral movement," the team added. "The use of Fake Narrator to gain SYSTEM-level privileges indicates the threat actor is interested in long-term monitoring of the victim, as opposed to one-off data collection."

BlackBerry Cylance says that samples of Fake Narrator reveal an active development timeline reaching back to at least four years ago, but delays between the release of different versions suggest that the tool is only used in a limited number of cases. 

TechRepublic: Latest research says organizations need to integrate security principles with DevOps

While BlackBerry Cylance does not point the finger directly at a specific APT, the researchers say the use of PcShare and victim selection are similar to Tropic Trooper -- also known as KeyBoy -- a group which targets government, health, transport, and technology organizations in Taiwan, the Philippines, and Hong Kong. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards