The actors behind a campaign to spread GoldenSpy malware via tax accounting software used by customers of a Chinese bank have recently attempted to distribute an uninstaller that deletes the backdoor in an apparent attempt to cover up their illicit activities.

In a previous company blog post and threat reportTrustwave and its SpiderLabs team identified the accounting software as Intelligent Tax, which was reportedly developed by China-based Aisino Corporation, and digitally signed by a second Chinese company, Chenkuo Network Technology. It is unknown if the bank (which Trustwave left unnamed), Aisino, Chenkuo Network Technology, or another party such as the Chinese government was actively behind the scheme. 

Now, in a follow-up blog post, Trustwave reports that it observed the new uninstaller, called AWX.exe, on June 28.

Trustwave says the purpose of the installer is to delete any trace of evidence that GoldenSpy ever existed on an infected machine — including registry entries, files and folders. The uninstaller even automatically deletes itself.

The tax software can execute the installer via a command for upgrading or installing new software. Normally, it would download an SVMinstaller module to implant GoldenSpy, “but as of June 28, we have identified a new flow that downloads and executes” the uninstaller,” reports blog post author Brian Hussey, VP of cyber threat detection and response at Trustwave.

“In our testing, this GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment; however, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner,” Hussey continues.

“While the SpiderLabs team is gratified to see GoldenSpy research and analysis result in such a rapid course reversal in the Golden Tax threat campaign, we are not so optimistic as to believe that this new development signifies a slow-down in threat actor activity. This threat is a clear and present danger, driven by incredibly smart and innovative adversaries.”

According to the report, on July 29, Trustwave observed a second version of the uninstaller that featured additional functionality for obfuscating its variables with Base64 encoding — possibly to dodge antivirus defenses.