Replacing the built-in Narrator "Ease of Access" feature in Windows, the attackers also deploy a version of the open-source malware known as the PcShare backdoor to gain an initial foothold into victims' systems. Using the two tools, the adversaries are able to surreptitiously control Windows machines via remote desktop logon screens, without the need for credentials.
The attacks begin by delivering the PcShare backdoor to victims via spearphishing campaigns. It has been modified and designed to operate when side-loaded by a legitimate Nvidia application.
It is "tailored to the needs of the campaign, with additional command-and-control encryption and proxy bypass functionality, and any unused functionality removed from the code", explained researchers with BlackBerry Cylance, in an analysis posted on Wednesday. The unused functionality includes audio/video streaming and keyboard monitoring, suggesting that it's strictly being used to install other malware.