Home Articles How the Narrator Windows utility is Infected by PcShare Backdoor Attacks

How the Narrator Windows utility is Infected by PcShare Backdoor Attacks


The PcShare backdoor attacks targeting Windows users with FakeNarrator malware was discovered by researchers. Read on to know more…

Over the years, Chinese hackers suspected to be from the Advanced Persistent Threat (APT) group has been the legitimate Narrator app on targeted Windows systems with a trojanized version screen-reader application that gives them remote access with privileges of the most powerful account on the operating system. The hackers deployed a version of the open-source malware known as the PcShare backdoor to gain an initial foothold into victims’ systems. The Narrator app is part of the ‘Ease of Access’ set of programs in Windows, which users can launch from the logon screen before authenticating.

Working Mechanism
The Narrator app program inherit the permissions from the executable that launches them, ‘winlogon.exe’ – the logon process that comes with SYSTEM permissions. Hackers already on the system can modify them to spawn a Command Prompt (cmd.exe) window with elevated permissions on the remote desktop login screen. Using the two tools, the attackers are able to surreptitiously control Windows machines via remote desktop logon screens, without the need for credentials.

According to security researchers from BlackBerry Cylance, while this type of attack is not new, the Chinese hackers have a new approach. Most malware exploiting accessibility features replicates the Narrator interface with poor functions. In this attack, though, the fake Narrator takes the place of the legitimate program and launches it with a hidden overlapped window that waits for specific key combinations to be entered. Cylance report that “When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify the path to a file to execute.”. According to the researchers, the hidden window becomes visible when the right password – hardcoded in the malware as ‘showmememe,’ is entered. This is how the attacker can run commands or executables with elevated privileges.

Attack Initiation
To get the initial access, the attacks begin by delivering the PcShare backdoor to victims via spearphishing campaigns. It has been modified and designed to operate when side-loaded by a legitimate NVIDIA application. The hackers rely on DLL side-loading, memory injection, and misdirection tactics to ensure a stealthy operation. BlackBerry Cylance explained that it is “specifically tailored to the needs of the campaign, with additional command-and-control (C2) encryption and proxy bypass functionality, and any unused functionality removed from the code,”. The unused functionality includes audio/video streaming and keyboard monitoring, suggesting that it’s strictly being used to install other malware.

Targeted Areas
Cylance suspects that these attacks are the work of a Chinese advanced threat group known as Tropic Trooper or KeyBoy, which has been targeting government institutions and heavy industry companies in Taiwan and the Philippines. The researchers said that “The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,”

Although precise attribution is not possible based on the evidence at hand, the victims, their geographic location, and the use of PcShare point to this adversary. These attacks were directed at technology companies in South-East Asia.


Please enter your comment!
Please enter your name here

+ 48 = 56