Unknown: New research has discovered that attackers are taking advantage of the narrator utility in Windows. The effort starts by attackers implementing the Pcshare backdoor on a targeted user device. This backdoor has all it needs to carry out this campaign including additional command-and-control encryption, as well as proxy bypass functionality. Attackers install post-exploitation tools after access to the machine is gained. Fake Narrator, one of the post-exploitation tools, was discovered as a helping hand in obtaining access to admin privileges through tampering with Microsoft Accessibility features. The legitimate Narrator.exe screen reader utility is replaced with the attacker’s version, which gives the attacker access to a command prompt with system privileges and everything can be accessed remotely. Technology companies in Southeast Asia seem to be the targets currently.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased