Threat Management, Threat Management, Threat Intelligence, Malware

Tax software used by Chinese bank clients installs GoldenSpy backdoor

A tax software program installed by business clients of an unidentified Chinese bank was trojanized with malware that installs a backdoor granting attackers SYSTEM-level privileges, researchers warn.

In a company blog post and more detailed threat report, Trustwave and its SpiderLabs team identified the accounting software as Intelligent Tax, which was reportedly developed by the Golden Tax Department of IT and information security company Aisino Corporation, and digitally signed by a second company, Chenkuo Network Technology.

It is unknown if the bank (which Trustwave left unnamed), Aisino, Chenkuo Network Technology, or another party such as the Chinese government was actively behind the scheme. Trustwave says it caught the threat too early in the kill chain to make such attributions -- although it does note that the campaign bears certain traits of a coordinated Advanced Persistent Threat operation.

Because it is unknown how large the scope of the attack goes and what players are involved, "every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment and remediation countermeasures," warns Brian Hussey, VP of cyber threat detection and response at Trustwave.

While the software is functional and used to pay local taxes, Trustwave says adversaries can leverage the GoldenSpy malware within to execute an array of Windows commands or upload and execute additional malicious code, including ransomware and trojans. The malware beacons and communicates with the attackers' command-and-control server, which operates separately from the tax software's network infrastructure. This server was found to reside at the domain ningzhidata[.]com domain, which was registered on Sept. 22, 2019.

Hussey describes GoldenSpy as a "well-hidden and powerful backdoor that surrenders full remote command and control of the victim system to an unknown adversary." He also warns that the presence of such a backdoor "will violate compliance requirements for most regulatory agencies."

Trustwave discovered the threat while conducting a proactive threat hunt on behalf of one of its clients, described as a global technology vendor that recently opened offices in China and contracts with governments in the U.S., Australia and the UK. Trustwave also identified similar malicious activity at an unnamed financial institution that appears to be a second target of the malware campaign, which began in April 2020.

GoldenSpy engages in a number of troublesome behavior designed to either establish persistence or evade detection.

To gain a strong foothold within infected systems, the malware downloads and executes a file called svminstaller.exe that installs two identical executables -- svm.exe and svmm.exe -- as persistent autostart services. "If either stops running, it will respawn its counterpart," writes Hussey. "Furthermore, it utilizes an exeprotector module that monitors for the deletion of either iteration of itself. If deleted, it will download and execute a new version. Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system."

Then victims install the tax software, the malware waits two hours before it is also secretly downloaded and installed, with no notification. If users attempt to dispense with the program, the uninstall feature allows the malware to continue running silently as a backdoor, even after functioning tax software is fully removed. Additionally, the aforementioned beaconing process is randomized to elude anti-beaconing protections.

Trustwave says it has uncovered variations of the GoldSpy malware that date back to December 2016 -- just two months after Chenkuo Technology’s website announced a partnership with Aisino that involves big data.

"GoldenSpy certainly could enable big data access and collection," Hussey notes. However, "Trustwave SpiderLabs has no current knowledge if GoldenSpy was active in the wild since 2016."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.