PCShare Backdoor

PCShare is open-source backdoor trojan available on a number of primarily Chinese-language hacking forums.

Threat ID:: CC-3230
Category:: Backdoor
Threat Severity:: Medium
Threat Vector:
Published:: 26 September 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

PCShare is open-source backdoor trojan available on a number of primarily Chinese-language hacking forums.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Unlike most backdoors, PCShare uses a custom loader that differs with each individual campaign. This loader is disguised within spoofed versions of legitimate applications, typically graphical and firmware drivers, hosted through third-party sites. When downloaded and executed, the loader uses DLL side-loading to inject PCShare into the memory of a number of running processes, ensuring it evades anti-virus detection.

Once installed, PCShare will connect to a command and control sever using details passed to it by the loader in a number of remote files. If successful, PCShare will then download and install any payloads from the C2 server.

Remediation steps

Type	Step
	To prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:54 pm