PcShare Malware Brings a Fake Narrator

What Is It?

Researchers from Cylance’s research and intelligence team have detailed an ongoing campaign called PcShare by a suspected Chinese APT (Advanced Persistent Threat) group targeting heavy industrial organizations in South East Asia, including the Philippines and Taiwan.

The attack, comprised of two components, starts with is a customized variant of a Chinese open source remote access trojan (RAT), PcShare, which is then followed by a trojanized screen reader which replaces the Narrator utility, part of Microsoft Accessibility Features supplied with Microsoft Windows 10.

The source code for several versions of PcShare is available on GitHub, however the version used by these attackers is heavily modified and employs techniques intended to make detection, especially by legacy anti-virus products, more difficult. Firstly, the code for any functionality not required by the attackers has been removed, which not only makes the code smaller and more efficient, but is likely intended to make signature-based detection less likely. Next, the attack uses a technique known as “DLL side loading” to use a legitimate application to load malicious code into memory and execute it. In this case, a component of the NVIDIA graphics driver is used to achieve this.

The malicious payload is encrypted with the most basic method of a XOR operation using a single byte as the encryption key. However, as an anti-analysis mechanism against manual or automated sandbox analysis, the single byte encryption key is calculated based on the name of its parent process. Once decrypted, the payload is loaded in RAM without ever being saved to disk, again attempting to avoid detection by endpoint security software. These techniques are all relevant in the context that the malware is executing on an endpoint and have no impact on BluVector’s network detection capabilities.

Some of the functionality removed from publicly available PcShare versions relates to audio/video streaming and keylogging. However, the attackers have added the ability to encrypt C2 (command and control) traffic. The have also added code to obtain proxy authentication credentials stored on the infected system. As most corporate networks utilize proxies; this allows the malware to communicate in such an environment. As a RAT, functionality exists to manipulate files, running processes, registry keys and to download and execute other code.

One such piece of code is the so-called fake Narrator malware. The purpose of fake Narrator is to allow the attackers to remotely obtain access to a command prompt, with system level privileges, without authentication. Prior to installing fake Narrator on an infected system, the attackers will rename the legitimate Narrator executable. When fake Narrator has been enabled at the logon screen via Ease Of Access, it runs the legitimate Narrator and creates a hidden, overlapped window. It then monitors keystrokes for a hardcoded password which, if received, allows the attackers to run any application with system privileges on the logon screen. The infected system is now completely compromised and remotely accessible by the attackers.

How Does It Propagate?

The malware discussed here does not self-propagate. The infection vector is not known. However, the most likely vector is social engineering, either as a malicious attachment or downloads performed by malicious documents or links.

When/How Did BluVector Detect It?

Three samples of PcShare are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Despite the samples being first seen in the wild up to 15 months ago, regression testing has shown the samples would have been detected an average of 47 months prior to their original release.

All Threat Reports