An unknown hacking group which is suspected to originate from China has been found to launch a massive attack globally using a Trojanized version of the Narrator service with the PcShare malware. This is particularly dangerous as the ongoing campaign targets technology companies and enterprise networks. It works by replacing the legitimate Windows service which is part of the Accessibility suite.
Infected Narrator Windows Service With The PcShare Trojan Launched Globally
A security report indicates that an unknown hacking collective, presumably from China, is launching a dangerous malware called the PcShare Trojan which is set to infect networks around the world. According to the researchers who discovered the threat the malware makes use of the unusual tactic of replacing the legitimate service of the Windows operating system called Narrator which is the main screen-reading application.
The exact mechanism of intrusion of the PcShare Trojan is to infect the intended hosts and then replace the legitimate Narrator service with a malicious version. The exact distribution of the Trojan is done mainly via email phishing campaigns — the intended victims will receive messages that are designed to imitate regular ones which are sent to them via well-known companies or services. The alternative is to fake their home pages, landing pages or login prompts and host them on similar sounding domain names. They can also include security certificates that can be faked, stolen or self-signed to make the visitors believe that they are visiting a safe site.
Interestingly the PcShare Trojan loader is delivered by a side-loaded legitimate NVIDIA DLL which is part of the graphics card driver for the Windows operating system. Its purpose is to decrypt an start the malicious payload which is the second stage of the Trojan. As this is done via a memory injection — the actual binary file is never dropped on the victim’s hard drive. This is done in parallel with a anti-sandboxing technique which is designed to bypass or entirely remove the installed security products and services. This is done mainly against applications such as anti-virus programs, sandbox environments, firewalls, intrusion detection systems and etc.
PcShare Trojan Capabilities
As soon as the Trojan is initiated on the victim system it will lead to numerous malware modules which are to be run. Most of them are based on open-source malware which have been modified in the attack campaign. The main Trojan will establish a secure connection to a hacker-controlled server thus allowing the criminals to take over control of the impacted machines. This also allows them to steal valuable data and information, as well as install other threats as well.
When the legitimate Narrator service is replaced with the malicious one it will gain administrative privileges allowing it to gain access to all important system sections. The PcShare Trojan and the deployed malicious modules include the installation of a keylogger which will actively monitor the user’s keyboard input for any potential credentials such as passwords. If such strings are detected they will be forwarded to the criminals.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: