Threat Management, Threat Intelligence, Malware

Attackers trojanize Windows Narrator tool to spy on Asian tech firms

Threat actors have been targeting Southeast Asian tech companies with an open-source backdoor that helps establish a foothold in infected machines, and a weaponized text-to-speech application that lets attackers gain SYSTEM-level access.

BlackBerry Cylance's research and intelligence team said in a Sept. 25 blog post that attackers behind the two-year-old campaign are using the malicious tools to conduct a reconnaissance operation, the mission of which is to exfiltrate sensitive data from targets and move laterally through the their systems.

The researchers also said that the threat actor has exhibited behavior that is in keeping with suspected Chinese APT group Tropic Trooper, which is known to target heavy industry companies in Taiwan and the Philippines and has used the same backdoor in other campaigns. However, open-source malware is accessible to virtually anyone, and attribution has not been confirmed.

The backdoor is a modified version of a Chinese remote access trojan called PcShare. The malicious binary features command-and-control encryption and proxy bypass capabilities, and is delivered via a customized downloader via sideloading by the legitimate "NVIDIA Smart Maximise Helper Host" application – part of NVIDIA's GPU graphics driver. The loader injects the main payload into memory, while leaving the disk itself untouched.

"The use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main backdoor binary is never dropped to the disk," explains Cylance in the blog post. To bolster its chances of avoiding detection, the loader also performs anti-sandboxing by encoding the payload based on execution path.

In another sneaky maneuver, the loader's configuration contains a plain-text URL, except that's not really the C&C address. Instead, the URL hosts a remote file that contains the actual C&C details. "This allows the attackers to easily change the preferred C&C address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times," explains Cylance.

The actual PcShare Backdoor program is a PE DLL file still retains certain functionality from the original PcShare RAT, with other capabilities stripped out. In addition to its aforementioned C&C encryption and proxy bypass capabilities, it also can perform some remote administration tasks, including the creation and deletion of files and directories; listing processes and services; executing binaries, downloading and uploading files and more.

Once PcShare is installed, the attackers can then further compromise their victims through a number of post-exploitation tools. Chief among them is Fake Narrator, a weaponized screen reader application that abuses Microsoft Accessibility Features and allows attackers with admin privileges to gain SYSTEM-level access.

Fake Narrator essentially replaces the legitimate Narrator.exe, an accessibility program, found in Windows' Ease of Access Center, that helps users with poor vision by reading aloud the text on their screens.

Fake narrator "spawns a copy of the original Narrator.exe and draws a hidden overlapped window, where it waits to capture specific key combinations known only to the attacker," the blog post said. "When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify" a command or the path to a file to execute.

"Once the Fake Narrator is enabled at the logon screen via 'Ease of Access,' the malware will be executed by winlogon.exe with SYSTEM privileges. Typing the attacker's defined password will allow the attacker to spawn any executable, also running under the SYSTEM account, at the logon screen," Cylance reported. "This technique ultimately allows a malicious actor to maintain a persistent shell on a system without requiring valid credentials."

A study of Fake Narrator samples indicate that the malware is more than four years old and still undergoing modifications, despite being used sparingly by the attackers.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.