Attackers Abuse Narrator Utility to Access Windows Systems

• Security researchers have spotted a suspected Chinese Advanced Persistent Threat (APT) group that is replacing the built-in Narrator ‘Ease of Access’ feature in Windows.
• This group has been observed to deploy a backdoor that lets them control victims’ systems without any credentials.

What the research says

The attack is initiated by hackers delivering Pcshare backdoor to potential victims.

• Researchers say that the backdoor has been designed with the needs of this specific campaign in mind, which includes additional command-and-control encryption and proxy bypass functionality.
• After gaining access to the machine, attackers have been observed to install various post-exploitation tools.
• One of these tools, called Fake Narrator was uncovered to be used to gain SYSTEM-level access to the victim’s machine by abusing Microsoft Accessibility Features.

Replacing Narrator

Narrator.exe is a screen-reader utility that belongs to Windows. The attack replaces this utility with the hacker’s Narrator version.

“Leveraging this attack makes it possible for a remote threat actor to gain unauthenticated access to a command prompt running with system privileges via a remote desktop logon screen. In order to deploy the Trojanized Narrator, the attackers will first have had to obtain administrative privileges in the victim’s system,” say researchers.

Who is responsible?

There is no concrete evidence to tell us who is responsible for these attacks. However, the geographic location of victims and the use of various Chinese open-source tools in the attack indicate the possibility of Chinese-origin threat actors.

Pcshare backdoor was previously observed in attacks by a threat actor called Tropic Trooper. This actor is notorious for targeting government agencies and heavy industry companies in Taiwan and the Philippines.

The research says that technology companies in South-East Asia have been affected by this group.