LTS Secure Warning: FakeNarrator Malware Being Utilized by Chinese APT Hackers to Implant PcShare Backdoor

APT hackers from China are utilizing FakeNarrator malware to attack tech companies based in Southeast Asia, in order to implant a modified version of PcShare backdoor, which is designed to function when side-loaded by a legitimate “NVidia Smart Maximize Helper Host” application.

Technical Details

The attackers are making use of a customized version of an open-source backdoor called PcShare. The backdoor is enhanced with special capabilities such as proxy bypass, C&C encryption, etc. It comes with a custom-made loader utilizing DLL sideloading technique.  

Once the attackers gain access to the victim system, they utilize the custom-made Trojan, in order to abuse Microsoft Accessibility Features, thus gaining system-level access and maintain persistence.

Impact

  • Can list, rename, create or delete files.
  • Manipulating registry values and keys.
  • Can list and manipulate services.
  • List out the process running and kill them, if needed so.
  • Execute binaries.
  • Spawn command-line shells
  • Upload & executing payloads on the infected machines.

Recommended Actions

  • Implement Principle of least privilege.
  • Software restriction policies should be in place along with application whitelisting.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.
LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013