A second tax software program associated with the Chinese banking industry has now been found to contain an embedded backdoor that secretly grants attackers SYSTEM-level privileges.
In late June, researchers from Trustwave SpiderLabs reported that accounting software called Intelligence Tax, developed by Chinese information security company Aisino Corporation and distributed to global clients of an unidentified Chinese bank, was trojanized with "GoldenSpy," a malware capable of executing an array of Windows commands as well as arbitrary code.
Now these same researchers are warning of "GoldenHelper," another backdoor malware that was found in a program called Golden Tax Invoicing Software (Baiwang Edition), which Trustwave says is also developed by Aisino, through its subsidiary NouNou Technology. According to Trustwave, GoldenHelper is actually a precursor to GoldenSpy.
Strangely, there is a company called Baiwang that also develops Chinese VAT invoicing software, but Trustwave found no official connection between Golden Tax and that company, despite the allusion to a Baiwang Edition in the name of the software.
Chinese banks require their clients to use Golden Tax for value-added tax invoicing purposes, meaning companies may have had no choice but to install software capable of malicious activity in order to conduct business and pay taxes in China, Trustwave reports in a new company blog post published this morning. Intelligence Tax was likewise required by at least one Chinese bank, presenting clients with a similar dilemma.
GoldenHelper is not a final payload. Rather, it drops a secondary malware called taxver.exe, the purpose of which is not known. Trustwave notes that the malware "utilizes sophisticated techniques to hide its delivery, presence, and activity," including obfuscation via fake and randomized filenames, timestomping (the randomization of timestamps), UAC bypass and privilege escalation.
In another odd twist, Trustwave found that Golden Tax software and the GoldenHelper malware hidden within may have been distributed to targets through Windows 7 computers (Home edition) that were shipped to clients with the software preinstalled. "This deployment mechanism is an interesting physical manifestation of a trojan horse," states the blog post.
Because businesses that operate in China must, by government law, use the VAT tax invoice software, Trustwave "recommends that any system hosting third-party applications with a potential for adding a gateway into your environment, be isolated and heavily monitored with strict processes and procedures in their usage."
It appears the GoldenHelper campaign is no longer active, as the command-and-control domains expired last January. However, the final payload of taxver.exe could still be operational.
Trustwave believes GoldenHelper was active from January 2018 through July 2019, meaning anyone after July 2019 would not be infected. The researchers suspect rising malware detection rates may be the reason GoldenHelper was shut down and later replaced with GoldenSpy, which began its run in April 2020 and was exposed in June 2020.