Chinese hackers are replacing the legitimate Narrator app on targeted Windows systems with a trojanized version that gives them remote access with privileges of the most powerful account on the operating system.

The Narrator app is part of the 'Ease of Access' set of programs in Windows, which users can launch from the logon screen before authenticating. Other accessibility programs include the On-Screen Keyboard, Magnifier, Display Switcher, and App Switcher.

These programs inherit the permissions from the executable that launches them, 'winlogon.exe' - the logon process that comes with SYSTEM permissions.

Adversaries already on the system can modify them to spawn a Command Prompt (cmd.exe) window with elevated permissions on the remote desktop login screen.

New approach for old technique

While this type of attack is not new, the Chinese hackers have a new approach, security researchers from BlackBerry Cylance say in a report today.

Most malware exploiting accessibility features replicates the Narrator interface and doing a poor job at it. In this attack, though, the fake Narrator takes the place of the legitimate program and launches it with a hidden overlapped window that waits for specific key combinations to be entered.

"When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify the path to a file to execute." - Cylance

According to the researchers, the hidden window becomes visible when the right password - hardcoded in the malware as 'showmememe,' is entered. This is how the attacker can run commands or executables with elevated privileges.

Getting initial access

To get the fake Narrator running on the remote desktop login screen the hackers first compromise the system with a custom version of the open-source PcShare backdoor.

They rely on DLL side-loading, memory injection, and misdirection tactics to ensure a stealthy operation.

Getting the backdoor on the target system is done with the help of the legitimate “NVIDIA Smart Maximise Helper Host” application, which is part of the NVIDIA graphics drivers.

The program is used too side-load the malicious DLL that goes on to decode (XOR) the backdoor payload, load it in the memory of 'rundll32.exe' and execute it.

When analyzing the backdoor, the researchers found that it was different from the public version hosted on GitHub. Some of the original functionality was removed, most likely because it was not needed and for a smaller footprint.

Stripped capabilities include audio/video streaming and keyboard monitoring, which Cylance believes is an indication that the purpose of the malware was to gain an initial foothold and help retrieve and install next-stage exploitation tools.

The list of remote administration features the researchers discovered includes the following:

List, create, rename, delete files and directories

List and kill processes

Edit registry keys and values

List and manipulate services

Enumerate and control windows

Execute binaries

Download additional files from the C&C or provided URL

Upload files to the C&C

Spawn command-line shell

Navigate to URLs

Display message boxes

Reboot or shut down the system

Apart from these, the custom PcShare comes with an SSH and a Telnet server, a self-update mode, as well as options to download and upload files.

Furthermore, the developers implemented their own LZW algorithm for traffic compression and embedded a statically linked instance of the PolarSSL library to encrypt communication with the command and control (C2) server.

To protect the C2 infrastructure, the hackers included a configuration file in plain text with an address directing to a remote file containing details for reaching the real C2.

"This allows the attackers to easily change the preferred C&C address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times." - Cylance

Cylance suspects that these attacks are the work of a Chinese advanced threat group known as Tropic Trooper or KeyBoy, which has been targeting government institutions and heavy industry companies in Taiwan and the Philippines.

Although precise attribution is not possible based on the evidence at hand, the victims, their geographic location, and the use of PcShare point to this adversary. These attacks were directed at technology companies in South-East Asia.