Attackers use the legitimate NVIDIA software to deliver a backdoor that allows gaining administrator privileges by replacing the Trojan with the built-in Windows utility for reading text from the screen.
Information security experts from BlackBerry Cylance reported this. They believe that this is a targeted cyber campaign aimed at organizing the technological sector in Southeast Asia.
“The malware has been used to target technology firms, and it is deployed via side-loading by a legitimate NVIDIA application. As part of the attack, a Trojanized version of Windows’ Narrator screen reading tool is used to gain remote access to systems without the need for credentials”, — report BlackBerry Cylance researchers.
The attack begins with the delivery to the computer of the victim of the PcShare backdoor. The malware is distributed through phishing sites as part of the legitimate application NVIDIA Smart Maximise Helper Host. Criminals have replaced the NvSmartMax.dll library with a modified version of PcShare.
The functions related to streaming broadcasting and interception of keyboard input were removed from the original backdoor, but they added the ability to encrypt the communication channel with the command server and bypass proxies. By replacing a legitimate DLL file, cybercriminals can load the executable module into RAM and deliver another payload under under cover of the NVIDIA utility.
“The backdoor code contains the address of the intermediate command server, which stores instructions for interacting with the control center. Thus, attackers hide the address of the main host and, if necessary, filter traffic. The one who created the malware went to great lengths to hide from security radars”, – say the researchers.
Having fixed themselves on the target machine, attackers deliver a Trojan to it that mimics the functions of the Windows screen reader. For an application that reads text from the screen, logging in is simplified and other programs with system privileges are allowed to run. After the start, the trojan turns on a legitimate voice assistant and opens a dialog box on its behalf, and also starts a process that intercepts actions with the keyboard.
The malware expects to enter a special password that is hardwired in the code, and then opens a dialog to run a command or file. Thus, a cybercriminal can execute code on the target device even without user credentials: it is enough to transfer the specified key to the machine to activate the Trojan window.
There is no exact data on who is behind this campaign. Security experts believe that the use of PcShare, as well as the geography of attacks, may indicate the cyber grouping Tropic Trooper, which regularly attacks government agencies and industrial companies in Taiwan and the Philippines.