Researchers have discovered a malware campaign targeting computers throughout Asia which looks to replace Windows Narrator with a malicious version. The malicious version, in turn, grants the attacker not only remote access but almost unfettered persistence.
Windows Narrator forms part of Microsoft’s Ease of Access suite which is built into Windows 10 and operates as a screen reader. Narrator is designed to improve the accessibility of machines running Windows 10 so those with low-level vision can use the machine relatively unhindered. The software also replaces the mouse to receive voice commands and is compatible with braille displays.
Researchers working for BlackBerry Cylance discovered the campaign and noticed that the campaign targets predominantly systems belonging to technology companies based in Southeast Asia. In a
report published by Cylance, it was noted that the attackers use a modified and open source piece of software which grants remote access. Called PCShare by its developers it is
currently available via GitHub. The tool is heavily modified and customized for the campaign at hand, featuring a tailored command-and-control (C2) servers, encryption, and proxy bypass functionality. At the same time, all code not deemed useful to the attacker’s goals is removed from the source code.
threatpost.com
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
