PCShare is open-source backdoor trojan available on a number of primarily Chinese-language hacking forums.
Unlike most backdoors, PCShare uses a custom loader that differs with each individual campaign. This loader is disguised within spoofed versions of legitimate applications, typically graphical and firmware drivers, hosted through third-party sites. When downloaded and executed, the loader uses DLL side-loading to inject PCShare into the memory of a number of running processes, ensuring it evades anti-virus detection.
Once installed, PCShare will connect to a command and control sever using details passed to it by the loader in a number of remote files. If successful, PCShare will then download and install any payloads from the C2 server.
According to ThreatVector the precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines.
- Different modes of operation, including SSH & Telnet server, self-update mode, file upload and download modes
- Use of custom LZW algorithm implementation for traffic compression
- Use of PolarSSL library to encrypt C&C communication (not present in the open source version)
- Proxy authentication via local user credentials (not present in the open source version)
- Several remote administration abilities:
o List, create, rename, delete files and directories
o List and kill processes
o Edit registry keys and values
o List and manipulate services
o Enumerate and control windows
o Execute binaries
o Download additional files from the C&C or provided URL
o Upload files to the C&C
o Spawn command line shell
o Navigate to URLs
o Display message boxes
o Reboot or shut down the system
Indicators of Compromise