Chinese Hackers Hit Technology Firms in Southeast Asia With PcShare Backdoor (Sep 26, 2019)
BlackBerry Cylance security researchers have detected a campaign, that they believe originates from China, targeting Southeast Asian technology firms. The actors are taking advantage of the built-in Narrator “Ease of Access” feature in Windows, by replacing it with a trojanized screen reader application. The trojanized Narrator executable is just one of the post exploitation tools used by the actors that share code found in Chinese programming sites. The malware used in the campaign is executed through DLL-Side-loading, specifically using the NVIDIA Smart Maximise Helper Host application. PcShare is a Chinese backdoor that is open source, and was found to be used across multiple organisations in this campaign. The actors continue to modify the fake Narrator app to suit its target victims. BlackBerry Cylance researchers have drawn similarities in this campaign to known Chinese APT Tropic Thunder.
Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.