PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware

Introduction

Over the course of the last two years, BlackBerry Cylance researchers uncovered a suspected Chinese advanced persistent threat (APT) group conducting attacks against technology companies located in south-east Asia. 

The threat actors deployed a version of the open-source PcShare backdoor modified and designed to operate when side-loaded by a legitimate NVIDIA application. 

The attackers also deploy a Trojanized screen reader application, replacing the built-in Narrator “Ease of Access” feature in Windows. This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the need for credentials.

This report outlines the public-domain malware samples related to this threat actor. It includes insight into the malicious use of Narrator.exe and modifications to the PcShare backdoor.

Our research will benefit security-minded professionals by detailing the evolving tactics, techniques, and procedures (TTPs) of a capable threat actor. For CISOs, familiarizing yourself with how the threat landscape is changing will better position you to protect your organization.

Analysis

The attackers use a modified version of a Chinese open-source backdoor called PcShare as their main foothold on the victim's machine. The backdoor is specifically tailored to the needs of the campaign, with additional command-and- control (C&C) encryption and proxy bypass functionality, and any unused functionality removed from the code. It arrives with a bespoke loader utilizing DLL sideloading technique.

After gaining access to the victim’s machine, the attackers deploy a range of post-exploitation tools, many of them based on publicly available code often found on Chinese programming portals. One of these tools stood out, a bespoke Trojan that abuses Microsoft Accessibility Features to gain SYSTEM-level access on the compromised machine in a way similar to the infamous "Sticky Keys" attack. In this case, instead of replacing the usual sethc.exe or utilman.exe binaries, the attackers chose to Trojanize the Narrator executable - a Windows utility that reads aloud the text on the screen and can be invoked on the login screen with a keyboard shortcut. The use of Fake Narrator to gain SYSTEM-level access to the victim’s machine suggests the attackers are interested in maintaining a long-term foothold.

The campaign is characterized by a fair level of stealthiness as the threat actor made a concerted effort to avoid detection. The use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main backdoor binary is never dropped to the disk. A simple but effective anti-sandboxing technique of payload encoding based on execution path is also implemented to avoid detection. The C&C infrastructure is protected by a level of indirection. The configuration supplied by the loader is passed as plain text, but the URL it contains is not the real C&C address. It instead points to a remote file that provides the actual details to be used in the C&C communication. This allows the attackers to easily change the preferred C&C address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times.

As of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines.

PcShare loader

SHA256

c5226bfd53d789a895559e8bcbedc4ecdde543e54a427b1cb4e5d7ef90756daa 

CLASSIFICATION 

Malware/Backdoor 

SIZE 

424 KB (434,176 bytes) 

TYPE 

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 

FILENAME 

NvSmartMax.dll 

TIMESTAMP 

2017-10-20 07:08:10 

 

SHA256

1899B3D59A9DC693D45410965C40C464224160BBEF596F51D35FDA099D609744 

CLASSIFICATION 

Malware/Backdoor 

SIZE 

424 KB (434,176 bytes) 

TYPE 

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 

FILENAME 

NvSmartMax.dll 

TIMESTAMP 

2017-09-28 09:01:58 


Overview

The DLL is side-loaded[1] by the legitimate “NVIDIA Smart Maximise Helper Host” application (part of NVIDIA GPU graphics driver) instead of the original NvSmartMax.dll that the program normally uses. Its main responsibility is to decrypt and load the encoded payload stored either in its .data section, or in a separate DAT file:

Figure 1: Loader overview

The threat actor has been observed using the same PcShare payload across attacks on multiple organizations. However, the side-loaded DLL is often modified per target (seemingly without recompiling) to update configuration details such as C&C IP addresses and victim identifiers.

FEATURES

  • DLL sideloading using a choice of files tailored to the victim’s environment
  • Embedded plain text configuration 
  • Simple anti-sandboxing measure
  • Payload encoded with one-byte XOR
  • Payload injected to memory without being dropped to the disk

BEHAVIOR

While the DllMain function of the PcShare loader is empty, the library exports three other functions. An export called NvSmartMaxUseDynamicDeviceGrids contains the routine that will decrypt and execute the payload, while another one, NvSmartMaxNotifyAppHWND, is responsible for invoking the decryption routine in the context of a separate process. The third exported function, (GetContainingRect), is irrelevant to the malicious activity but required by the legitimate application.

Once the malicious NvSmartMaxNotifyAppHWND export is called, it will:

  • Create a mutex with a hardcoded GUID-like name
  • Rename the original legitimate EXE file by appending the suffix “Ex” prior to the extension
  • Set persistence in the registry by adding an “NvSmart” entry (with the path pointing to the copy of legitimate file) to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key

The decoding routine is then invoked in the context of a separate rundll32.exe process by calling the CreateProcess API with the following parameters:

rundll32.exe %s ,NvSmartMaxUseDynamicDeviceGrids


Figure 2: rundll32.exe used to launch the decryption routine

To ensure just one instance of the payload injection routine is running, the NvSmartMaxUseDynamicDeviceGrids function will create another GUID-like mutex before proceeding to decrypt and execute the payload.

Decoding is XOR based, and the initial one-byte XOR key is computed based on the current process path. Such anti-analysis measures can prevent the payload from being decoded properly when running in some sandboxed environments, as it will only generate the correct XOR key when its parent process name is rundll32.exe:


Figure 3: Key calculation (based on executable path) and payload decryption

The XOR decoding routine can be translated into C/C++ code as follows:



Figure 4: Pseudo-code for payload decryption

After decoding the payload, the malware will reflectively load it into memory of rundll32.exe and execute, passing a pointer to the hardcoded configuration as a parameter:


Figure 5: Hard-coded configuration

CONFIGURATION

Field

Value

Victim GUID (?)

84314963-BE0E-43C9-A0BE-83B180361999

ServerPort

443

Timeout

0x3C (60.)

Cmd

-

ServerAddr

45.32.181.48

DdnsUrl

<redacted>

SoftVer

1020

Group

<redacted>

Port

0x50 (80.)

HWnd

-

Id

-



PcShare Backdoor

SHA256

bd345155aa4baa392c3469b9893a4751c2372ae4923cf05872bcdc159b9596f8 (encrypted)

49b86ae6231d44dfc2ff4ad777ea544ae534eb40bd0209defffec1eb1fe66b34 (decrypted)

Classification

Malware/Backdoor

Aliases

PcClient, PcMain

Size

296 KB (303,104 bytes)

Type

Binary (PE DLL without a header)

Filename

PcMain.dll (internal)

Timestamp

N/A


Overview

The payload is loaded into memory reflectively, so it will never reside on disk in decrypted form. Although the file header is zeroed out, the binary is assumed to have originally been a PE DLL. The backdoor is based on a Chinese Open Source remote access Trojan (RAT) called PcShare, which is available in multiple versions on Github[2]. Some functionality found in the original code is unimplemented, suggesting the attackers stripped unnecessary code to meet specific needs, limit the malicious footprint, and make the binary smaller. In this case, unimplemented features include audio/video streaming and keyboard monitoring, which suggests that this backdoor was used to establish an early stage foothold and intended mainly to download and install other modules.

FEATURES

  • Different modes of operation, including SSH & Telnet server, self-update mode, file upload and download modes
  • Use of custom LZW algorithm implementation for traffic compression
  • Use of PolarSSL library to encrypt C&C communication (not present in the open source version)
  • Proxy authentication via local user credentials (not present in the open source version)
  • Several remote administration abilities:

o   List, create, rename, delete files and directories
o   List and kill processes
o   Edit registry keys and values
o   List and manipulate services
o   Enumerate and control windows
o   Execute binaries
o   Download additional files from the C&C or provided URL
o   Upload files to the C&C
o   Spawn command line shell
o   Navigate to URLs
o   Display message boxes
o   Reboot or shut down the system

BEHAVIOR

The internal name of the DLL is PcMain.dll. It exports two functions, Vip20101125 and WorkMainF. These strings correlate with the PcShare code available on Github:

 Figure 6: PcMain.dll exported functions (left), and PcShare source code on GitHub (right)

The main functionality of the malware is contained in Vip20101125 export, which is invoked from inside the DllMain function. In order to connect to the C&C server, the backdoor first needs to obtain the real C&C address. This is done by reading the content of a remote file located at the URL specified in loader-supplied configuration. The remote file is expected to be a simple plain-text file containing an IP address and a port number. In case no port number is specified, the default port will be set to 80. The malware will then connect to the C&C via TCP socket and send a beacon containing compressed and encrypted system information:


Figure 7: Sending C&C beacon

In response, the C&C server is expected to send a command that will specify the requested backdoor connection mode. The received command is then dispatched to a handler:


Figure 8: Switch loop to handle connection mode command

There are several different backdoor modes in line with the original open source code, but some of the options have been removed. Below is a partial list of commands supported by CMyClientMain::GetCmdFromServer:


Figure 9: Backdoor modes


Figure 10: Portion of original CMyClientMain::GetCmdFromServer from PcMain/MyClientMain.cpp

The switch statement that operates the backdoor functionality is contained within the CMyMainTrans::StartWork function. Depending on the chosen connection mode and the OS version, the SSH_MainThread function will either make a direct call to the StartWork function or create another instance of the backdoor DLL and call its WorkMainF export, supplying configuration values as parameters. In case of this particular modification, the unpacked backdoor DLL is never dropped to the disk, so the attackers are limited to the direct method of invoking the backdoor switch:


Figure 11: Executing WorkMainF with configuration parameters

The StartWork function initiates the processing of backdoor commands. The command parameters are first decrypted and decompressed using the backdoor’s own implementation of the LZW algorithm inside a function called PcUnZip.:


Figure 12: Receive, unpack and dispatch command


Figure 13: Supported backdoor commands

C&C Communication

Unlike the Github version, this version of PcShare can bypass proxies by retrieving the proxy configuration and using it to authenticate:


Figure 14: Proxy authentication using user-agent string from Chrome 47 (2015-12-01)

The backdoor binary embeds a statically linked instance of the PolarSSL library. All C&C communication is encrypted with the use of an embedded RSA key and compressed using its own implementation of LZW:
Figure 15: PolarSSL certificate embedded in the payload


Figure 16: Polar SSL keys and certificates embedded in the payload

BACKDOOR MODES

The first command from the C&C server specifies the connection mode (note, parameters are sent separately):

Command

Code (Hex/Decimal)

Function

Parameters

Comments

WM_CONNECT_FRAM

0x1F41

8001

SSH_FramThread

-

Start the backdoor command processing loop; the camera capture thread associated with this function in the Github code has been removed

WM_CONNECT_FILE

0x1F42

8002

SSH_MainThread

-

Start the backdoor command processing loop

WM_CONNECT_PROC

0x1F43

8003

SSH_MainThread

-

Start the backdoor command processing loop

WM_CONNECT_SERV

0x1F44

8004

SSH_MainThread

-

Start the backdoor command processing loop

WM_CONNECT_KEYM

0x1F45

8005

(unimplemented)

-

-

WM_CONNECT_MULT

0x1F46

8006

(unimplemented)

-

-

WM_CONNECT_TLNT

0x1F47

8007

SSH_TlntThread

-

Open a terminal connection to the C&C server and send basic system info; in a loop, read and execute shell commands sent by the C&C

WM_CONNECT_DL_FILE

0x1F48

8008

SSH_DlThread

FilePath

Read content of specified file and send it (compressed and encrypted) back to the C&C

WM_CONNECT_UPDA

0x1F49

8009

UpdateFile

BinaryData

Receive file from C&C, write it to a temp file and execute using CreateProcess function; then terminate self

WM_CONNECT_TURL

0x1F4A

8010

SSH_TuRlThread

URL

Download and execute a file from specified URL

WM_CONNECT_UPLO

0x1F4B

8011

SSH_FileThread

BinaryData

Receive a PE EXE file from C&C, write it to a temp file and execute it

WM_CONNECT_GDIP

0x1F4C

8012

(unimplemented)

-

-

WM_CONNECT_QUER

0x1F4D

8013

(unimplemented)

-

-

WM_CONNECT_REGT

0x1F4E

8014

SSH_MainThread

-

Start the backdoor command processing loop

WM_CONNECT_CWND

0x1F4F

8015

SSH_MainThread

-

Spawn new instance of the backdoor DLL and invoke WorkMainF export, which will start the backdoor command processing loop

WM_CONNECT_MESS

0x1F50

8016

SSH_MessThread

Type, Text

Display a message box with the specified text

WM_CONNECT_LINK

0x1F51

8017

SSH_LinkThread

ShowCmd, URL

Open specified URL in Internet Explorer

WM_CONNECT_SOCKS

0x1F52

8018

 

-

 

WM_CONNECT_TWOO

0x1F53

8019

 

-

 

WM_CONNECT_FIND

0x1F54

8020

SSH_MainThread

-

Start the backdoor command processing loop

WM_CONNECT_CMD

0x1F55

8021

(unimplemented)

-

-

WM_CONNECT_VIDEO

0x1F56

8022

(unimplemented)

-

-

WM_CONNECT_AUDIO

0x1F57

8023

(unimplemented)

-

-

WM_CONNECT_UP_FILE

0x1F58

8024

SSH_UpThread

FilePath, BinaryData

Receive a file name from the C&C and write it with the received binary data

WM_CONNECT_GET_KEY

0x1F59

8025

(unimplemented)

-

-

WM_CONNECT_SOCKS_STOP

0x1F5A

8026

SSH_StopSocksThread

-

Stop backdoor communication

WM_CONNECT_CLIENT_DOWN

0x1F5B

8027

SSH_StopSocksThread

-

Stop backdoor communication

CLIENT_PRO_UNINSTALL

 

30002

-

-

Return “uninstall” flag

CLIENT_SYSTEM_RESTART

 

30004

ShutDownSystem

-

Reboot the system

CLIENT_SYSTEM_SHUTDOWN

 

30005

ShutDownSystem

-

Power off the system


BACKDOOR COMMANDS

The backdoor command processing thread is started in some of the operation modes and it’s capable of processing the following commands:

Command

Code (Hex/Decimal)

Parameters

Comments

GetDiskInfo

0x6EB

1771

RootPath

Save information about specified disk (disk name, drive type, volume information and free space) to a temp file

GetFileInfo

0x6EC

1772

FilePath

Save extended attributes of a file to a temp file

GetDirInfo

0x6ED

1773

DirectoryPath

Save directory info (extended attributes of a directory, number of subdirectories, number of files and total files size) to a temp file

GetDirList

0x6EE

1774

DirectoryPath

Save the list of file names found under a specified directory to a temp file

DeleteMyFile

0x6EF

1775

FilePath

Delete a specified file(s)

CreateDir

0x6F0

1776

DirectoryPath

Create a specified directory

ReNameFile

0x6F1

1777

ExistingFileName, NewFileName

Move a specified file

GetDiskList

0x6F2

1778

-

Save information about all disks (disk name, drive type, volume information and free space) to a temp file

ExecFile

0x6F3

1779

FilePath

Execute a given application

KillOneProcess

0x6F4

1780

PID

Terminate process with given PID

MyRegEnumKey

0x6F5

1781

SubKey

Write a list of registry values stored under a given key to a temp file

MyRegDeleteKey

0x6F6

1782

SubKey

Delete a specified registry key

(unimplemented)

0x6F7

1783

-

-

MyRegDeleteValue

0x6F8

1784

SubKey, ValueName

Delete a specified registry value

MyRegEditValue

0x6F9

1785

SubKey, ValueName, Type, Data

Set a specified registry value

(unimplemented)

0x6FA

1786

-

-

GetDownFileList

0x6FB

1787

ListOfFiles

Save paths, attributes and sizes of given files to a temp file

GetProcessList

0x6FC

1788

-

Write the list of running processes to a temp file

EnumMyServices

0x6FD

1789

-

Write the list of services (name, status, config) to a temp file

ControlMyServices

0x6FE

1790

ServiceName,

State

Either start or restart specified service, depending on the second parameter

ConfigMyServices

0x6FF

1791

ServiceName, StartType, DisplayName

Change start type and display name of a given service

(unimplemented)

0x700

1792

-

-

DeleteMyServices

0x701

1793

ServiceName

Delete a specified service

GetFindFileList

0x702

1794

Path

Find specified file or all files under specified directory; save file names together with their attributes to a temp file

MyEnumWindows

0x703

1795

-

Write the list of open windows (window text and module name) to a temp file

MyControlWindows

0x704

1796

hWnd, CmdShow

Either close or manipulate (show, hide, minimize, maximize) a given window


Fake Narrator

SHA256

0022508fd02bb23c3a2c4f5de0906df506a2fcabc3e841365b60ba4dd8920e0c

Classification

Malware/Trojan

Aliases

N/A

Size

220 KB (225,280 bytes)

Type

PE32+ executable (GUI) x86-64, for MS Windows

Filename

Narrator.exe

Timestamp

2015-06-08 05:23:07

PDB path

C:\myWork\vc\Narrator_window_20150606v1.2\x64\Release\Narrator.pdb

 

Overview

Similar to the aforementioned “Sticky Keys” attack[3], this binary is designed to replace Narrator.exe, a legitimate screen-reader utility belonging to Windows. Leveraging this attack makes it possible for a remote threat actor to gain unauthenticated access to a command prompt running with system privileges via a remote desktop logon screen. In order to deploy the Trojanized Narrator, the attackers will first have had to obtain administrative privileges in the victim’s system.

This binary is quite novel compared to previous malware that exploits accessibility features in Windows, in that it doesn’t attempt to replicate the Narrator user-interface (which is often imitated poorly). Instead, it spawns a copy of the original Narrator.exe and draws a hidden overlapped window[4], where it waits to capture specific key combinations known only to the attacker. When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify the path to a file to execute.

FEATURES

  • Replaces Narrator.exe, a legitimate Windows screen reader application
  • Requires attackers to obtain administrative privileges on the victim machine prior to deployment
  • Grants permanent SYSTEM-level access via logon screen

BEHAVIOR

Upon execution, the Trojanized Fake Narrator will first run the original legitimate Narrator (previously renamed by the threat actor to NarratorMain.exe). The malware will then register a window class ("NARRATOR") and create a window (“Narrator”).

The window procedure creates a dialog with an edit control and a button called “r”, while a separate thread constantly monitors keyboard strokes. If the malware detects that a specific password has been typed (hardcoded in the binary as "showmememe" string), it will display the previously created dialog. This will allow the attacker to specify the command, or the path to a file to execute via an edit control. When the “r” button is pressed the malware will read the contents of the edit control and supply the text to a thread that will attempt to run the command via the system API:


Figure 17: Fake Narrator – Monitoring the keyboard for hardcoded password

Once the Fake Narrator is enabled at the logon screen via “Ease of Access”, the malware will be executed by winlogon.exe with SYSTEM privileges. Typing the attacker’s defined password will allow the attacker to spawn any executable, also running under the SYSTEM account, at the logon screen:


Figure 18: Fake Narrator running at RDP login prompt

This technique ultimately allows a malicious actor to maintain a persistent shell on a system without requiring valid credentials.

Conclusions

The threat actor behind these attacks tends to modify and reuse publicly available code – this is true both for the foothold backdoor as well as majority of the post-exploitation tools they use. Such an approach requires significantly less resources and speeds up the process of developing an attack toolset. Moreover, open source code is more difficult to attribute as it can be adapted and used by anyone who has access to the Internet and an appropriate compiler.

Despite a preference towards open source tools, the attacker doesn’t shy away from building their own bespoke utilities as needed, like Fake Narrator. The development timeline of Fake Narrator samples shows the tool was introduced more than four years ago and is still being actively modified in order to better fit the victim’s environment. A multi-year period between subsequent versions suggests that this particular tool is rather uncommon and used in a very limited number of cases.

The aim of the attackers is persistent exfiltration of sensitive data, as well as local network reconnaissance and lateral movement. The use of Fake Narrator to gain SYSTEM-level privileges indicates the threat actor is interested in long term monitoring of the victim, as opposed to one-off data collection.

Based on the use of numerous Chinese open source projects and the geographical location of the victims, we suspect the threat actor to be of Chinese origin. The use of PcShare was previously seen in relation to a group called Tropic Trooper, which has been targeting government institutions and heavy industry in the same region since at least 2012. Tropic Trooper (a.k.a. KeyBoy) is known to use a toolset that includes the PcShare backdoor, alongside another popular backdoor called Poison Ivy, and a bespoke one called Yahoyah.

With PcShare being an open source project which could be leveraged by any number of threat actors operating in this region we cannot be completely certain the attack is attributable to Tropic Trooper at this time.

Indicators of Compromise (IOCs)

Indicator

Type

Description

c5226bfd53d789a895559e8bcbedc4ecdde543e54a427b1cb4e5d7ef90756daa

SHA256

PcShare loader #1

1899b3d59a9dc693d45410965c40c464224160bbef596f51d35fda099d609744

SHA256

PcShare loader #2

bd345155aa4baa392c3469b9893a4751c2372ae4923cf05872bcdc159b9596f8

SHA256

PcShare backdoor (encrypted)

49b86ae6231d44dfc2ff4ad777ea544ae534eb40bd0209defffec1eb1fe66b34

SHA256

PcShare backdoor (dump; no PE header)

0022508fd02bb23c3a2c4f5de0906df506a2fcabc3e841365b60ba4dd8920e0c

SHA256

Fake Narrator

945F4106-C691-4921-ACAB-E58C50C5F150

Mutex

PcShare loader

CF08C3F3-2CA3-4215-8CB3-4CDBD3030EC4

Mutex

PcShare loader

45.32.181.48

 C&C IP

PcShare loader #1

142.4.124.124

C&C IP

PcShare loader #2

C:\myWork\vc\Narrator_window_20150606v1.2\x64\Release\Narrator.pdb

PDB path

Fake Narrator


MITRE ATT&CK

Tactic

ID

Name

Observed

Initial Access

T1078

Valid Accounts

 

Execution

T1085

Rundll32

 PcShare loader

Persistence

T1100

Webshell

 

T1060

Registry Run Keys

PcShare loader

Privilege Escalation

T1015

Accessibility Features

Fake Narrator

Defense Evasion

T1073

DLL Sideloading

PcShare loader

T1140

Deobfuscate/Decode Files or Information

PcShare loader

Discovery

T1010

Application Window Discovery

PcShare backdoor

T1083

File and Directory Discovery

PcShare backdoor

T1057

Process Discovery

PcShare backdoor

T1012

Query Registry

PcShare backdoor

T1082

System Information Discovery

PcShare backdoor

T1007

System Service Discovery

PcShare backdoor

Command and Control

T1032

Standard Cryptographic Protocol

PcShare backdoor

T1105

Remote File Copy

PcShare backdoor

Exfiltration

T1041

Exfiltration Over Command and Control Channel

PcShare backdoor


Links:

[1] https://attack.mitre.org/techniques/T1073/
[2] https://github.com/sinmx/pcshare/
[3] https://attack.mitre.org/techniques/T1015/
[4] https://docs.microsoft.com/en-us/windows/win32/winmsg/window-features#overlapped-windows