Hackers Replace Windows Narrator to Get SYSTEM Level Access
Researchers with Cylance have uncovered a new hacking campaign that takes advantage of the Windows Narrator app that users can launch from the logon screen before they have entered their credentials. The attackers, who are believed to be operating from China, have developed a malicious version of the app that they use to replace the original on targeted systems. Since the Narrator app runs with system privileges, the trojanized version gives threat actors full control over the host machine.
The sophisticated campaign involves multiple stages. In the first stage, the attackers abuse a legitimate NVIDIA app on targeted systems in order to load the PcShare backdoor, which allows them to compromise the machine and replace the local Narrator app with their malicious version.