‘Narrator’ Windows Utility Trojanized to Gain Full System Control

narrator pcbackdoor nvidia campaign

An active APT campaign aimed at tech companies is underway, which also uses a legitimate NVIDIA graphics function.

A suspected Chinese advanced persistent threat (APT) group has been spotted attacking tech companies using a trojanized screen-reader application, replacing the built-in Narrator “Ease of Access” feature in Windows.

According to BlackBerry Cylance, the attackers also deploy a version of the open-source malware known as the PcShare backdoor to gain an initial foothold into victims’ systems.

Using the two tools, the adversaries are able to surreptitiously control Windows machines via remote desktop logon screens, without the need for credentials.

The attacks begin by delivering the PcShare backdoor to victims via spearphishing campaigns. It has been modified and designed to operate when side-loaded by a legitimate NVIDIA application.

It is “specifically tailored to the needs of the campaign, with additional command-and-control (C2) encryption and proxy bypass functionality, and any unused functionality removed from the code,” explained researchers with BlackBerry Cylance, in an analysis posted on Wednesday. The unused functionality includes audio/video streaming and keyboard monitoring, suggesting that it’s strictly being used to install other malware.

Interestingly, it arrives with a bespoke loader that uses the aforementioned DLL sideloading technique.

“The DLL is side-loaded by the legitimate NVIDIA Smart Maximise Helper Host application (part of NVIDIA GPU graphics driver), instead of the original NvSmartMax.dll that the program normally uses,” said the firm. “Its main responsibility is to decrypt and load the encoded payload stored either in its .data section, or in a separate DAT file.”

The PcShare’s use of the legitimate application allows the attack takes on additional levels of stealthiness, said researchers.

“The use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main backdoor binary is never dropped to the disk,” the researchers explained. “A simple but effective anti-sandboxing technique of payload-encoding based on execution path is also implemented to avoid detection.”

Further, the C2 infrastructure is also obfuscated; while the URL that the malware beacons to is delivered in plain text, the address actually points to a remote file containing the actual details of how to communicate with the C2.

“This allows the attackers to easily change the preferred C2 address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times,” said researchers.

After gaining access to the victim’s machine, the attackers then deploy a range of post-exploitation tools, many of them based on publicly available code often found on Chinese programming portals, according to researchers. One of these is a bespoke trojan, Fake Narrator, that abuses Microsoft Accessibility Features to gain SYSTEM-level access on the compromised machine.

Once the attackers have obtained administrative privileges in the victim’s system, the next order of business is to replace Narrator.exe with a trojanized version, which will give the attacker the ability to run any program with system privileges.

The Narrator executable is a Windows utility that reads the text on the screen aloud for the visually impaired. It can be invoked on the login screen with a keyboard shortcut, which provides permanent system-level access.

“Once the Fake Narrator is enabled at the logon screen via ‘Ease of Access’, the malware will be executed by winlogon.exe with SYSTEM privileges,” explained the researchers.

Upon execution, the trojanized fake Narrator will first run the original legitimate Narrator, then register a window class (“NARRATOR”) and create a window (“Narrator”).

“The window procedure creates a dialog with an edit control and a button called ‘r,’ while a separate thread constantly monitors keyboard strokes,” researchers explained. “If the malware detects that a specific password has been typed (hardcoded in the binary as ‘showmememe’ string), it will display the previously created dialog. This will allow the attacker to specify the command, or the path to a file to execute via an edit control.”

Typing the attacker’s defined password will allow the attacker to spawn any executable, also running under the SYSTEM account, at the logon screen. Researchers explained that this technique ultimately allows a malicious actor to maintain a persistent shell on a system without requiring valid credentials.

“This binary is quite novel …[in that] it spawns a copy of the original Narrator.exe and draws a hidden overlapped window, where it waits to capture specific key combinations known only to the attacker,” researchers explained. “When the correct passphrase has been typed, the malware will display a dialog that allows the attacker to specify the path to a file to execute.”

So far, the attacks have hit tech companies in the Southeast Asia area, according to BlackBerry Cylance telemetry. As for who’s behind them, precise attribution of these attacks has proven elusive.

“The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” the researchers said.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles