Attackings of technology businesses in Southeast Asia by a suspected Chinese threat actor employ a version of the open-source PcShare backdoor, safety scientists in BlackBerry Cylance warn.
The attackers also used a Trojan-made screen reader application, which replaces the built-in Windows “Easy Access” narrator function, mainly gaining distant control over the infected systems without the victim being required to steal credentials.
The Chinese open-source backdoor, PcShare, has been altered specifically for this campaign with extra C&C encryption and proxy bypass. In addition, the operators have removed from the code any unused features.
The malware is performed by DLL side-loading on the victim’s machine. Specifically, the backdoor is laid out by the lawful NVIDIA Smart Maximize Helper Host implementation, which safety scientists found to be a component of the NVIDIA GPU graphics systems.
After the original compromise, a number of instruments are used, many of which are based on software accessible to the general public on Chinese programming portals. One of these is a Trojan who uses Microsoft accessibility features to obtain SYSTEM access by trojanizing the executable Narrator.
The hackers used memory injection so the primary backdoor binary does not touch the disk and encoded payload based on the runway to prevent detection. The loader is configured in plain text, but the URL provided is not the true C&C address. It instead links to a remote file with C&C communication information.
While threat actors have used the same PcShare payload over multiple attacks, they often have modified the side-loaded DLL for each target, including the C&C IP addresses and victims identifiers, to update the configuration details.
The malware determines persistence by adding a record entry and generates mutexes so that only one example of the payload injection routine is running.
Backdoor features include distinct operating modes (such as SSH & Telnet, the automatic upgrade, upload and download mode), traffic compression using a personalized LZW algorithm, encrypted C&C communication using the PolarSSL library, and proxy authentication via local user credentials.
Malware remote management capacities include listing, creating, renaming and deleting files and directories; listing and killing procedures; editing registry keys and values; listing and manipulating service; enumeration and controlling windows; running binaries; uploading extra files to C&C or URL; uploading files to the C&C; spawning command-line shell; navigating to the message boxes; viewing URLs;
The fake narrator app used by the threat actor is not trying to substitute the lawful app, but instead creates a copy to copy the user interface of the narrator. The trojanized application is supplied after attackers obtain administrative rights on the scheme and provide the computer with SYSTEM-level access.
First launched four years ago, the fake narrator app, but a threat actor continues to alter it to guarantee it suits the environment of victims, tell the scientists. It seems that the instrument was only used in a very small amount of assaults.
BlackBerry Cylance thinks that the actor has Chinese origin based on the use of Chinese open source initiatives and the geographical place of the victims.
“As of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” BlackBerry Cylance says.
Source : HackerCombat