Threat Management, Threat Intelligence, Malware

‘GoldenSpy’ tax software campaign tries to erase evidence of malware

The actors behind a campaign to spread GoldenSpy malware via tax accounting software used by customers of a Chinese bank have recently attempted to distribute an uninstaller that deletes the backdoor in an apparent attempt to cover up their illicit activities.

In a previous company blog post and threat reportTrustwave and its SpiderLabs team identified the accounting software as Intelligent Tax, which was reportedly developed by China-based Aisino Corporation, and digitally signed by a second Chinese company, Chenkuo Network Technology. It is unknown if the bank (which Trustwave left unnamed), Aisino, Chenkuo Network Technology, or another party such as the Chinese government was actively behind the scheme. 

Now, in a follow-up blog post, Trustwave reports that it observed the new uninstaller, called AWX.exe, on June 28.

Trustwave says the purpose of the installer is to delete any trace of evidence that GoldenSpy ever existed on an infected machine -- including registry entries, files and folders. The uninstaller even automatically deletes itself.

The tax software can execute the installer via a command for upgrading or installing new software. Normally, it would download an SVMinstaller module to implant GoldenSpy, "but as of June 28, we have identified a new flow that downloads and executes" the uninstaller," reports blog post author Brian Hussey, VP of cyber threat detection and response at Trustwave.

"In our testing, this GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment; however, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner," Hussey continues.

"While the SpiderLabs team is gratified to see GoldenSpy research and analysis result in such a rapid course reversal in the Golden Tax threat campaign, we are not so optimistic as to believe that this new development signifies a slow-down in threat actor activity. This threat is a clear and present danger, driven by incredibly smart and innovative adversaries."

According to the report, on July 29, Trustwave observed a second version of the uninstaller that featured additional functionality for obfuscating its variables with Base64 encoding -- possibly to dodge antivirus defenses.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.