Delaware, USA – October 2, 2019 – An ongoing campaign by one of the Chinese cyber-espionage groups targets technology companies in Southeast Asia. BlackBerry Cylance discovered a campaign lasting about two years and distributing a modified PcShare backdoor and trojanized Narrator executable. According to a recent Crowdstrike report on the activity of state-sponsored hackers, Chinese APTs attacks the most industries this year, and PcShare backdoor is among the top 5 tools used by these groups. BlackBerry Cylance claims that cybercriminals modified the backdoor for their needs by adding proxy bypass functionality and command-and-control encryption, and removing all unused features. PcShare is mainly used to download other tools available on Chinese hacker forums, as well as fake Narrator app to gain System-level access to the already infected system.
Adversaries use DLL side-loading to execute PcShare backdoor, in this campaign they misuse part of the NVIDIA GPU graphics drivers. Researchers also noticed that the backdoor in each attack is the same, but the DLL file is created taking into account changes in the C&C infrastructure and victim data. The techniques used, targets and geography of the victims allow suggesting that the campaign is being conducted by the Tropic Trooper group.
Content to uncover the malware available on Threat Detection Marketplace:
PCShare_BACKDOOR Yara rule – https://tdm.socprime.com/tdm/info/2410/
Tactics used by the Tropic Trooper APT: https://tdm.socprime.com/att-ck/