PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware By Cylance Research and Intelligence Team Archived: 2026-04-05 14:17:06 UTC Introduction Over the course of the last two years, BlackBerry Cylance researchers uncovered a suspected Chinese advanced persistent threat (APT) group conducting attacks against technology companies located in south-east Asia.  The threat actors deployed a version of the open-source PcShare backdoor modified and designed to operate when side-loaded by a legitimate NVIDIA application.  The attackers also deploy a Trojanized screen reader application, replacing the built-in Narrator “Ease of Access” feature in Windows. This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the need for credentials. This report outlines the public-domain malware samples related to this threat actor. It includes insight into the malicious use of Narrator.exe and modifications to the PcShare backdoor. Our research will benefit security-minded professionals by detailing the evolving tactics, techniques, and procedures (TTPs) of a capable threat actor. For CISOs, familiarizing yourself with how the threat landscape is changing will better position you to protect your organization. Analysis The attackers use a modified version of a Chinese open-source backdoor called PcShare as their main foothold on the victim's machine. The backdoor is specifically tailored to the needs of the campaign, with additional command-and-control (C&C) encryption and proxy bypass functionality, and any unused functionality removed from the code. It arrives with a bespoke loader utilizing DLL sideloading technique. After gaining access to the victim’s machine, the attackers deploy a range of post-exploitation tools, many of them based on publicly available code often found on Chinese programming portals. One of these tools stood out, a bespoke Trojan that abuses Microsoft Accessibility Features to gain SYSTEM-level access on the compromised machine in a way similar to the infamous "Sticky Keys" attack. In this case, instead of replacing the usual sethc.exe or utilman.exe binaries, the attackers chose to Trojanize the Narrator executable - a Windows utility that reads aloud the text on the screen and can be invoked on the login screen with a keyboard shortcut. The use of Fake Narrator to gain SYSTEM-level access to the victim’s machine suggests the attackers are interested in maintaining a long-term foothold. The campaign is characterized by a fair level of stealthiness as the threat actor made a concerted effort to avoid detection. The use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main backdoor binary is never dropped to the disk. A simple but effective anti-sandboxing technique of payload encoding based on execution path is also implemented to avoid detection. The C&C infrastructure is protected by a level of indirection. The configuration supplied by the loader is passed as plain text, but the URL it contains is not the real C&C https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 1 of 25 address. It instead points to a remote file that provides the actual details to be used in the C&C communication. This allows the attackers to easily change the preferred C&C address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times. As of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines. PcShare loader SHA256 c5226bfd53d789a895559e8bcbedc4ecdde543e54a427b1cb4e5d7ef90756daa  CLASSIFICATION  Malware/Backdoor  SIZE  424 KB (434,176 bytes)  TYPE  PE32 executable (DLL) (GUI) Intel 80386, for MS Windows  FILENAME  NvSmartMax.dll  TIMESTAMP  2017-10-20 07:08:10  SHA256 1899B3D59A9DC693D45410965C40C464224160BBEF596F51D35FDA099D609744  CLASSIFICATION  Malware/Backdoor  SIZE  424 KB (434,176 bytes)  TYPE  PE32 executable (DLL) (GUI) Intel 80386, for MS Windows  FILENAME  NvSmartMax.dll  TIMESTAMP  2017-09-28 09:01:58  https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 2 of 25 Overview The DLL is side-loaded[1] by the legitimate “NVIDIA Smart Maximise Helper Host” application (part of NVIDIA GPU graphics driver) instead of the original NvSmartMax.dll that the program normally uses. Its main responsibility is to decrypt and load the encoded payload stored either in its .data section, or in a separate DAT file: Figure 1: Loader overview The threat actor has been observed using the same PcShare payload across attacks on multiple organizations. However, the side-loaded DLL is often modified per target (seemingly without recompiling) to update configuration details such as C&C IP addresses and victim identifiers. FEATURES DLL sideloading using a choice of files tailored to the victim’s environment Embedded plain text configuration  Simple anti-sandboxing measure Payload encoded with one-byte XOR Payload injected to memory without being dropped to the disk BEHAVIOR While the DllMain function of the PcShare loader is empty, the library exports three other functions. An export called NvSmartMaxUseDynamicDeviceGrids contains the routine that will decrypt and execute the payload, while another one, NvSmartMaxNotifyAppHWND, is responsible for invoking the decryption routine in the context of a separate process. The third exported function, (GetContainingRect), is irrelevant to the malicious activity but required by the legitimate application. https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 3 of 25 Once the malicious NvSmartMaxNotifyAppHWND export is called, it will: Create a mutex with a hardcoded GUID-like name Rename the original legitimate EXE file by appending the suffix “Ex” prior to the extension Set persistence in the registry by adding an “NvSmart” entry (with the path pointing to the copy of legitimate file) to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key The decoding routine is then invoked in the context of a separate rundll32.exe process by calling the CreateProcess API with the following parameters: rundll32.exe %s ,NvSmartMaxUseDynamicDeviceGrids Figure 2: rundll32.exe used to launch the decryption routine To ensure just one instance of the payload injection routine is running, the NvSmartMaxUseDynamicDeviceGrids function will create another GUID-like mutex before proceeding to decrypt and execute the payload. Decoding is XOR based, and the initial one-byte XOR key is computed based on the current process path. Such anti-analysis measures can prevent the payload from being decoded properly when running in some sandboxed environments, as it will only generate the correct XOR key when its parent process name is rundll32.exe: Figure 3: Key calculation (based on executable path) and payload decryption The XOR decoding routine can be translated into C/C++ code as follows: Figure 4: Pseudo-code for payload decryption https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 4 of 25 After decoding the payload, the malware will reflectively load it into memory of rundll32.exe and execute, passing a pointer to the hardcoded configuration as a parameter: Figure 5: Hard-coded configuration CONFIGURATION Field Value Victim GUID (?)84314963-BE0E-43C9-A0BE-83B180361999 ServerPort 443 Timeout 0x3C (60.) Cmd - ServerAddr 45.32.181.48 DdnsUrl SoftVer 1020 Group https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 5 of 25 Port 0x50 (80.) HWnd - Id - PcShare Backdoor SHA256 bd345155aa4baa392c3469b9893a4751c2372ae4923cf05872bcdc159b9596f8 (encrypted) 49b86ae6231d44dfc2ff4ad777ea544ae534eb40bd0209defffec1eb1fe66b34 (decrypted) Classification Malware/Backdoor Aliases PcClient, PcMain Size 296 KB (303,104 bytes) Type Binary (PE DLL without a header) Filename PcMain.dll (internal) Timestamp N/A Overview The payload is loaded into memory reflectively, so it will never reside on disk in decrypted form. Although the file header is zeroed out, the binary is assumed to have originally been a PE DLL. The backdoor is based on a Chinese Open Source remote access Trojan (RAT) called PcShare, which is available in multiple versions on Github[2]. Some functionality found in the original code is unimplemented, suggesting the attackers stripped unnecessary code to meet specific needs, limit the malicious footprint, and make the binary smaller. In this case, unimplemented features include audio/video streaming and keyboard monitoring, which suggests that this backdoor was used to establish an early stage foothold and intended mainly to download and install other modules. https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 6 of 25 FEATURES Different modes of operation, including SSH & Telnet server, self-update mode, file upload and download modes Use of custom LZW algorithm implementation for traffic compression Use of PolarSSL library to encrypt C&C communication (not present in the open source version) Proxy authentication via local user credentials (not present in the open source version) Several remote administration abilities: o   List, create, rename, delete files and directories o   List and kill processes o   Edit registry keys and values o   List and manipulate services o   Enumerate and control windows o   Execute binaries o   Download additional files from the C&C or provided URL o   Upload files to the C&C o   Spawn command line shell o   Navigate to URLs o   Display message boxes o   Reboot or shut down the system BEHAVIOR The internal name of the DLL is PcMain.dll. It exports two functions, Vip20101125 and WorkMainF. These strings correlate with the PcShare code available on Github:  Figure 6: PcMain.dll exported functions (left), and PcShare source code on GitHub (right) The main functionality of the malware is contained in Vip20101125 export, which is invoked from inside the DllMain function. In order to connect to the C&C server, the backdoor first needs to obtain the real C&C address. This is done by https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 7 of 25 reading the content of a remote file located at the URL specified in loader-supplied configuration. The remote file is expected to be a simple plain-text file containing an IP address and a port number. In case no port number is specified, the default port will be set to 80. The malware will then connect to the C&C via TCP socket and send a beacon containing compressed and encrypted system information: Figure 7: Sending C&C beacon In response, the C&C server is expected to send a command that will specify the requested backdoor connection mode. The received command is then dispatched to a handler: Figure 8: Switch loop to handle connection mode command There are several different backdoor modes in line with the original open source code, but some of the options have been removed. Below is a partial list of commands supported by CMyClientMain::GetCmdFromServer: https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 8 of 25 Figure 9: Backdoor modes Figure 10: Portion of original CMyClientMain::GetCmdFromServer from PcMain/MyClientMain.cpp The switch statement that operates the backdoor functionality is contained within the CMyMainTrans::StartWork function. Depending on the chosen connection mode and the OS version, the SSH_MainThread function will either make a direct call to the StartWork function or create another instance of the backdoor DLL and call its WorkMainF export, supplying configuration values as parameters. In case of this particular modification, the unpacked backdoor DLL is never dropped to the disk, so the attackers are limited to the direct method of invoking the backdoor switch: https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 9 of 25 Figure 11: Executing WorkMainF with configuration parameters The StartWork function initiates the processing of backdoor commands. The command parameters are first decrypted and decompressed using the backdoor’s own implementation of the LZW algorithm inside a function called PcUnZip.: Figure 12: Receive, unpack and dispatch command https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 10 of 25 Figure 13: Supported backdoor commands C&C Communication Unlike the Github version, this version of PcShare can bypass proxies by retrieving the proxy configuration and using it to authenticate: Figure 14: Proxy authentication using user-agent string from Chrome 47 (2015-12-01) The backdoor binary embeds a statically linked instance of the PolarSSL library. All C&C communication is encrypted with the use of an embedded RSA key and compressed using its own implementation of LZW: https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 11 of 25 Figure 15: PolarSSL certificate embedded in the payload https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 12 of 25 Figure 16: Polar SSL keys and certificates embedded in the payload BACKDOOR MODES The first command from the C&C server specifies the connection mode (note, parameters are sent separately): Command Code (Hex/Decimal) Function Parameters Comments WM_CONNECT_FRAM 0x1F41 8001 SSH_FramThread - Start the backdoor command processing loop; the camera capture thread associated with this function in the Github https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 13 of 25 code has been removed WM_CONNECT_FILE 0x1F42 8002 SSH_MainThread - Start the backdoor command processing loop WM_CONNECT_PROC 0x1F43 8003 SSH_MainThread - Start the backdoor command processing loop WM_CONNECT_SERV 0x1F44 8004 SSH_MainThread - Start the backdoor command processing loop WM_CONNECT_KEYM 0x1F45 8005 (unimplemented) - - WM_CONNECT_MULT 0x1F46 8006 (unimplemented) - - WM_CONNECT_TLNT 0x1F47 8007 SSH_TlntThread - Open a terminal connection to the C&C server and send basic system info; in a loop, read and execute shell commands sent by the C&C WM_CONNECT_DL_FILE 0x1F48 8008 SSH_DlThread FilePath Read content of specified https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 14 of 25 file and send it (compressed and encrypted) back to the C&C WM_CONNECT_UPDA 0x1F49 8009 UpdateFile BinaryData Receive file from C&C, write it to a temp file and execute using CreateProcess function; then terminate self WM_CONNECT_TURL 0x1F4A 8010 SSH_TuRlThread URL Download and execute a file from specified URL WM_CONNECT_UPLO 0x1F4B 8011 SSH_FileThread BinaryData Receive a PE EXE file from C&C, write it to a temp file and execute it WM_CONNECT_GDIP 0x1F4C 8012 (unimplemented) - - WM_CONNECT_QUER 0x1F4D 8013 (unimplemented) - - WM_CONNECT_REGT 0x1F4E 8014 SSH_MainThread - Start the backdoor command processing loop WM_CONNECT_CWND 0x1F4F 8015 SSH_MainThread - Spawn new instance of the backdoor DLL https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 15 of 25 and invoke WorkMainF export, which will start the backdoor command processing loop WM_CONNECT_MESS 0x1F50 8016 SSH_MessThread Type, Text Display a message box with the specified text WM_CONNECT_LINK 0x1F51 8017 SSH_LinkThread ShowCmd, URL Open specified URL in Internet Explorer WM_CONNECT_SOCKS 0x1F52 8018 - WM_CONNECT_TWOO 0x1F53 8019 - WM_CONNECT_FIND 0x1F54 8020 SSH_MainThread - Start the backdoor command processing loop WM_CONNECT_CMD 0x1F55 8021 (unimplemented) - - WM_CONNECT_VIDEO 0x1F56 8022 (unimplemented) - - WM_CONNECT_AUDIO 0x1F57 8023 (unimplemented) - - https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 16 of 25 WM_CONNECT_UP_FILE 0x1F58 8024 SSH_UpThread FilePath, BinaryData Receive a file name from the C&C and write it with the received binary data WM_CONNECT_GET_KEY 0x1F59 8025 (unimplemented) - - WM_CONNECT_SOCKS_STOP 0x1F5A 8026 SSH_StopSocksThread - Stop backdoor communication WM_CONNECT_CLIENT_DOWN 0x1F5B 8027 SSH_StopSocksThread - Stop backdoor communication CLIENT_PRO_UNINSTALL 30002 - - Return “uninstall” flag CLIENT_SYSTEM_RESTART 30004 ShutDownSystem - Reboot the system CLIENT_SYSTEM_SHUTDOWN 30005 ShutDownSystem - Power off the system BACKDOOR COMMANDS The backdoor command processing thread is started in some of the operation modes and it’s capable of processing the following commands: Command Code (Hex/Decimal) Parameters Comments GetDiskInfo 0x6EB 1771 RootPath Save information about specified disk (disk name, drive type, volume information and free space) to a temp file https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 17 of 25 GetFileInfo 0x6EC 1772 FilePath Save extended attributes of a file to a temp file GetDirInfo 0x6ED 1773 DirectoryPath Save directory info (extended attributes of a directory, number of subdirectories, number of files and total files size) to a temp file GetDirList 0x6EE 1774 DirectoryPath Save the list of file names found under a specified directory to a temp file DeleteMyFile 0x6EF 1775 FilePath Delete a specified file(s) CreateDir 0x6F0 1776 DirectoryPath Create a specified directory ReNameFile 0x6F1 1777 ExistingFileName, NewFileName Move a specified file GetDiskList 0x6F2 1778 - Save information about all disks (disk name, drive type, volume information and free space) to a temp file ExecFile 0x6F3 1779 FilePath Execute a given application KillOneProcess 0x6F4 1780 PID Terminate process with given PID MyRegEnumKey 0x6F5 1781 SubKey Write a list of registry values stored under a given key to a temp file MyRegDeleteKey 0x6F6 1782 SubKey Delete a specified registry key (unimplemented) 0x6F7 1783 - - MyRegDeleteValue 0x6F8 1784 SubKey, ValueName Delete a specified registry value https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 18 of 25 MyRegEditValue 0x6F9 1785 SubKey, ValueName, Type, Data Set a specified registry value (unimplemented) 0x6FA 1786 - - GetDownFileList 0x6FB 1787 ListOfFiles Save paths, attributes and sizes of given files to a temp file GetProcessList 0x6FC 1788 - Write the list of running processes to a temp file EnumMyServices 0x6FD 1789 - Write the list of services (name, status, config) to a temp file ControlMyServices 0x6FE 1790 ServiceName, State Either start or restart specified service, depending on the second parameter ConfigMyServices 0x6FF 1791 ServiceName, StartType, DisplayName Change start type and display name of a given service (unimplemented) 0x700 1792 - - DeleteMyServices 0x701 1793 ServiceName Delete a specified service GetFindFileList 0x702 1794 Path Find specified file or all files under specified directory; save file names together with their attributes to a temp file MyEnumWindows 0x703 1795 - Write the list of open windows (window text and module name) to a temp file https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 19 of 25 MyControlWindows 0x704 1796 hWnd, CmdShow Either close or manipulate (show, hide, minimize, maximize) a given window Fake Narrator SHA256 0022508fd02bb23c3a2c4f5de0906df506a2fcabc3e841365b60ba4dd8920e0c Classification Malware/Trojan Aliases N/A Size 220 KB (225,280 bytes) Type PE32+ executable (GUI) x86-64, for MS Windows Filename Narrator.exe Timestamp 2015-06-08 05:23:07 PDB pathC:\myWork\vc\Narrator_window_20150606v1.2\x64\Release\Narrator.pdb Overview Similar to the aforementioned “Sticky Keys” attack[3], this binary is designed to replace Narrator.exe, a legitimate screen-reader utility belonging to Windows. Leveraging this attack makes it possible for a remote threat actor to gain unauthenticated access to a command prompt running with system privileges via a remote desktop logon screen. In order to deploy the Trojanized Narrator, the attackers will first have had to obtain administrative privileges in the victim’s system. This binary is quite novel compared to previous malware that exploits accessibility features in Windows, in that it doesn’t attempt to replicate the Narrator user-interface (which is often imitated poorly). Instead, it spawns a copy of the original Narrator.exe and draws a hidden overlapped window[4], where it waits to capture specific key combinations known only to the attacker. When the correct passphrase has been typed the malware will display a dialog that allows the attacker to specify the path to a file to execute. https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 20 of 25 FEATURES Replaces Narrator.exe, a legitimate Windows screen reader application Requires attackers to obtain administrative privileges on the victim machine prior to deployment Grants permanent SYSTEM-level access via logon screen BEHAVIOR Upon execution, the Trojanized Fake Narrator will first run the original legitimate Narrator (previously renamed by the threat actor to NarratorMain.exe). The malware will then register a window class ("NARRATOR") and create a window (“Narrator”). The window procedure creates a dialog with an edit control and a button called “r”, while a separate thread constantly monitors keyboard strokes. If the malware detects that a specific password has been typed (hardcoded in the binary as "showmememe" string), it will display the previously created dialog. This will allow the attacker to specify the command, or the path to a file to execute via an edit control. When the “r” button is pressed the malware will read the contents of the edit control and supply the text to a thread that will attempt to run the command via the system API: Figure 17: Fake Narrator – Monitoring the keyboard for hardcoded password Once the Fake Narrator is enabled at the logon screen via “Ease of Access”, the malware will be executed by winlogon.exe with SYSTEM privileges. Typing the attacker’s defined password will allow the attacker to spawn any executable, also running under the SYSTEM account, at the logon screen: https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 21 of 25 Figure 18: Fake Narrator running at RDP login prompt This technique ultimately allows a malicious actor to maintain a persistent shell on a system without requiring valid credentials. Conclusions The threat actor behind these attacks tends to modify and reuse publicly available code – this is true both for the foothold backdoor as well as majority of the post-exploitation tools they use. Such an approach requires significantly less resources and speeds up the process of developing an attack toolset. Moreover, open source code is more difficult to attribute as it can be adapted and used by anyone who has access to the Internet and an appropriate compiler. Despite a preference towards open source tools, the attacker doesn’t shy away from building their own bespoke utilities as needed, like Fake Narrator. The development timeline of Fake Narrator samples shows the tool was introduced more than four years ago and is still being actively modified in order to better fit the victim’s environment. A multi-year period between subsequent versions suggests that this particular tool is rather uncommon and used in a very limited number of cases. The aim of the attackers is persistent exfiltration of sensitive data, as well as local network reconnaissance and lateral movement. The use of Fake Narrator to gain SYSTEM-level privileges indicates the threat actor is interested in long term monitoring of the victim, as opposed to one-off data collection. Based on the use of numerous Chinese open source projects and the geographical location of the victims, we suspect the threat actor to be of Chinese origin. The use of PcShare was previously seen in relation to a group called Tropic Trooper, which has been targeting government institutions and heavy industry in the same region since at least 2012. Tropic Trooper (a.k.a. KeyBoy) is known to use a toolset that includes the PcShare backdoor, alongside another popular backdoor called Poison Ivy, and a bespoke one called Yahoyah. https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 22 of 25 With PcShare being an open source project which could be leveraged by any number of threat actors operating in this region we cannot be completely certain the attack is attributable to Tropic Trooper at this time. Indicators of Compromise (IOCs) Indicator Type Description c5226bfd53d789a895559e8bcbedc4ecdde543e54a427b1cb4e5d7ef90756daa SHA256 PcShare loader #1 1899b3d59a9dc693d45410965c40c464224160bbef596f51d35fda099d609744 SHA256 PcShare loader #2 bd345155aa4baa392c3469b9893a4751c2372ae4923cf05872bcdc159b9596f8 SHA256 PcShare backdoor (encrypted) 49b86ae6231d44dfc2ff4ad777ea544ae534eb40bd0209defffec1eb1fe66b34 SHA256 PcShare backdoor (dump; no PE header) 0022508fd02bb23c3a2c4f5de0906df506a2fcabc3e841365b60ba4dd8920e0c SHA256 Fake Narrator 945F4106-C691-4921-ACAB-E58C50C5F150 Mutex PcShare loader CF08C3F3-2CA3-4215-8CB3-4CDBD3030EC4 Mutex PcShare loader 45.32.181.48  C&C IP PcShare loader #1 142.4.124.124 C&C IP PcShare loader #2 C:\myWork\vc\Narrator_window_20150606v1.2\x64\Release\Narrator.pdb PDB path Fake Narrator MITRE ATT&CK https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 23 of 25 Tactic ID Name Observed Initial Access T1078 Valid Accounts Execution T1085 Rundll32  PcShare loader Persistence T1100 Webshell T1060 Registry Run Keys PcShare loader Privilege Escalation T1015 Accessibility Features Fake Narrator Defense Evasion T1073 DLL Sideloading PcShare loader T1140 Deobfuscate/Decode Files or Information PcShare loader Discovery T1010 Application Window Discovery PcShare backdoor T1083 File and Directory Discovery PcShare backdoor T1057 Process Discovery PcShare backdoor T1012 Query Registry PcShare backdoor T1082 System Information Discovery PcShare backdoor T1007 System Service Discovery PcShare backdoor Command and Control T1032 Standard Cryptographic Protocol PcShare backdoor https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 24 of 25 T1105 Remote File Copy PcShare backdoor Exfiltration T1041 Exfiltration Over Command and Control Channel PcShare backdoor Source: https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html Page 25 of 25