Replace Windows Narrator for SYSTEM level access Hackers


Chinese hackers replace the lawful Narrator app with a trojanised variant for targeted Windows applications, providing remote access with privileges from the most strong operating system account.

The Narrator app is component of the Windows ‘ Easy Access ‘ collection of programs that customers can start before authentication from the login screen. The on-screen keyboard, magnifier, display switcher and app switcher are other programs of availability.

These programs take over the executable permissions ‘ winlogon.exe,’ which is the logon method with SYSTEM permissions.

Adversaries on the system can modify them to spread the command prompt window on a remote desktop login screen (cmd.exe) with elevated permissions.

New approach to ancient technology

While this sort of attack is not new, Chinese hackers have a fresh strategy, BlackBerry Cylance safety scientists claim today in a study.

Most malware that uses accessibility replicates the Narrator interface and does bad work. In this assault, the false narrator replaces the lawful program with a covered window waiting for particular main combinations to be entered.

“When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify the path to a file to execute.” – Cylance

According to scientists, when the correct password-hardcoded in malware like ‘ showmememe ‘-is entered, the hidden window becomes noticeable. This is how the attacker can execute orders or execute orders with high privileges.


Get initial access

The hackers first compromise the system with the customized version of the open-source PcShare back door to run the fake narrator on the remote desktop login screen.

To guarantee a safe operation, they depend on DLL side loading, memory injection and misdirection tactics.

A lawful “NVIDIA Smart Maximise Helper host” program is used to get the backdoor to the target scheme and is component of the NVIDIA graphics controllers.

The program uses too side-charging malicious DLL to decode the backdoor payload (XOR), load it into the’ rundll32.exe’ memory and run it.


When the backdoor was analyzed, the scientists discovered it different from GitHub’s public version. Some of the initial features have been removed, most probably because they were not required and for less.

Cylance thinks that the malware’s aim is to obtain an original foothold and aid in retrieval and installation of next-phase exploitation instruments, including audio / video streaming and keyboard tracking.

The list of remote management characteristics found by scientists involves:

  • List, create, rename, delete files and directories
  • List and kill processes
  • Edit registry keys and values
  • List and manipulate services
  • Enumerate and control windows
  • Execute binaries
  • Download additional files from the C&C or provided URL
  • Upload files to the C&C
  • Spawn command-line shell
  • Navigate to URLs
  • Display message boxes
  • Reboot or shut down the system

Furthermore, the custom PcShare includes an SSH and Telnet server, an auto-update mode and file download and upload options.

The designers also introduced their own traffic compression LZW algorithm and integrated a statically linked PolarSSL library example to encrypt communication with the command and control (C2) server.

In order to safeguard the C2 infrastructure, the hackers included a plain text configuration file with an email that leads to a remote file with information to reach true C2.

“This allows the attackers to easily change the preferred C&C address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times.” – Cylance

Cylance considers the attacks to be the work of a Chinese sophisticated threat group known as Tropic Trooper or KeyBoy targeting public organizations in Taiwan and the Philippines.

While it is not feasible to attribute accurate proof on the basis, the victims, their geographical place and the use of PcShare point to this opponent. These attacks were aimed at South East Asian technology businesses.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.