Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Windows Technology

'Narrator' Windows Utility Trojanized To Gain Full System Control (threatpost.com) 34

Posted by BeauHD from the heads-up dept.
A suspected Chinese advanced persistent threat (APT) group has been spotted attacking tech companies using a trojanized screen-reader application, replacing the built-in Narrator "Ease of Access" feature in Windows. Threatpost reports: The attackers also deploy a version of the open-source malware known as the PcShare backdoor to gain an initial foothold into victims' systems. Using the two tools, the adversaries are able to surreptitiously control Windows machines via remote desktop logon screens, without the need for credentials.

The attacks begin by delivering the PcShare backdoor to victims via spearphishing campaigns. It has been modified and designed to operate when side-loaded by a legitimate NVIDIA application. It is "specifically tailored to the needs of the campaign, with additional command-and-control (C2) encryption and proxy bypass functionality, and any unused functionality removed from the code," explained researchers with BlackBerry Cylance, in an analysis posted on Wednesday. The unused functionality includes audio/video streaming and keyboard monitoring, suggesting that it's strictly being used to install other malware.
This discussion has been archived. No new comments can be posted.

'Narrator' Windows Utility Trojanized To Gain Full System Control More

'Narrator' Windows Utility Trojanized To Gain Full System Control

Comments Filter:

  • Summary (Score:4, Interesting)

    by 110010001000 ( 697113 ) on Thursday September 26, 2019 @06:34AM (#59238652) Homepage Journal

    Some people convinced other people via spearfishing to install some software on their computer. The software ran.

  • At least/most the exploit requires user interaction. That might be a good or bad thing depending, although I'm sure there are suckers out there. This reminds me of the days of the Windows 95 "ping of death," Subseven, Back Orifice, etc.

    Admittedly I didn't RTFA, but I'm wondering how Windows UAC, local admin permissions, and whatnot come into play. In a corporate environment once local admin permissions for signed-in users was removed years ago it definitely helped curtail some of this.

    • Okay I broke down and RTFA. Definitely a clever binary. Not to mention how Narrator runs as SYSTEM and is piggybacked. So UAC and local admin permissions don't even come into play. And when I was referring to removing local admin perms in my post above, I was referring to my own corporate environment. Obviously that's an option any company with common sense should observe!

    • Even for things that require User Interaction, a person on a bad day even one who knows what they are doing, are sometimes just a miss-click away from opening a security threat. I have been relatively lucky in my 20+ year career where my code hasn't been (knowingly) hacked, and I wasn't responsible for starting a security problem, and I don't remember a time where my PC was ever infected by a virus. (Granted a good fraction of those 20+ years I have been using Linux and Macs when they weren't targets). No

      • Agreed. At my workplace, I'm going on 20 years in a few months, and the amount of defenses we've layered over the years is something else. Everything from bolstered local A/V to DNS-based security to perimeter-based appliances to security analytics to ad nauseum. But still the last line of defense is the enduser. With all of that in place there still is a chance that someone could quickly click something they shouldn't or read through a well-crafted spearphishing e-mail too quickly. So we try to proactively

  • I used those tools to bypass XP deactivation (Score:3)

    by Jody Bruchon ( 3404363 ) on Thursday September 26, 2019 @07:11AM (#59238724)
    Back in the bad old days, XP would sometimes get deactvated and you could not run anything outside of Safe Mode. That meant that if you needed to download and install a driver to get activation over the internet working again, you were out of luck. I used to hit Win+U, then the "help" link for the tools would let me open IE, then I'd "download" C:\windows\system32\cmd.exe and run it, then I'd do whatever I wanted from there. Windows XP would still kill all programs after a period of time, but I could run Explorer and Device Manager and do whatever I needed to in that window.

    It's nice to know that these "ease of access" tools are still such lovely security risks!

    • It's nice to know that these "ease of access" tools are still such lovely security risks!

      Oh, that's only recently been fixed - Win10 1803, I think? It was handy when you didn't have an admin password - boot up a recovery environment (like a Win10 install CD), rename c:\windows\system32\osk.exe to osk.exe.old, copy cmd.exe to osk.exe, and reboot. Using the on-screen keyboard at the login screen would launch an administrative command prompt that would happily let you 'net use' your way into a password reset or a new admin prompt.

      You can do that on basically any Windows OS, desktop or server, up u

    • Ha! I used to do that when I was in my single digit years to bypass the Windows 98 login screen. Substitute cmd.exe with explorer.exe and the desktop would come right up.

  • I also like to trojanize myself to gain full system access...

    Hey, betcha didn't expect that with your morning coffee, didn't you?

    Posting cheap shots since the last century

  • As usual... (Score:3, Funny)

    by JustAnotherOldGuy ( 4145623 ) on Thursday September 26, 2019 @08:57AM (#59239174) Journal

    As usual, Linux users are left out in the cold like second-class citizens of the computing world and cannot enjoy this latest shiny malware/trojan.

Slashdot Top Deals

Your own mileage may vary.

Close