PCShare Backdoor

PCShare is open-source backdoor trojan available on a number of primarily Chinese-language hacking forums.

Unlike most backdoors, PCShare uses a custom loader that differs with each individual campaign. This loader is disguised within spoofed versions of legitimate applications, typically graphical and firmware drivers, hosted through third-party sites. When downloaded and executed, the loader uses DLL side-loading to inject PCShare into the memory of a number of running processes, ensuring it evades anti-virus detection.

Once installed, PCShare will connect to a command and control sever using details passed to it by the loader in a number of remote files. If successful, PCShare will then download and install any payloads from the C2 server.

According to ThreatVector the precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines.

Further details – https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html

FEATURES

  • Different modes of operation, including SSH & Telnet server, self-update mode, file upload and download modes
  • Use of custom LZW algorithm implementation for traffic compression
  • Use of PolarSSL library to encrypt C&C communication (not present in the open source version)
  • Proxy authentication via local user credentials (not present in the open source version)
  • Several remote administration abilities:

o   List, create, rename, delete files and directories
o   List and kill processes
o   Edit registry keys and values
o   List and manipulate services
o   Enumerate and control windows
o   Execute binaries
o   Download additional files from the C&C or provided URL
o   Upload files to the C&C
o   Spawn command line shell
o   Navigate to URLs
o   Display message boxes
o   Reboot or shut down the system

Indicators of Compromise

SHA-256

  • 0022508fd02bb23c3a2c4f5de0906df506a2fcabc3e841365b60ba4dd8920e0c
  • 1899B3D59A9DC693D45410965C40C464224160BBEF596F51D35FDA099D609744
  • 1899b3d59a9dc693d45410965c40c464224160bbef596f51d35fda099d609744
  • 49b86ae6231d44dfc2ff4ad777ea544ae534eb40bd0209defffec1eb1fe66b34
  • bd345155aa4baa392c3469b9893a4751c2372ae4923cf05872bcdc159b9596f8
  • c5226bfd53d789a895559e8bcbedc4ecdde543e54a427b1cb4e5d7ef90756daa

IPs

  • 45.32.181.48
  • 142.4.124.124

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: