A new malware dubbed GoldenSpy is being distributed embedded in tax payment software that some businesses operating in China are required to install.

GoldenSpy is a new backdoor that is being distributed embedded in tax payment software (the Aisino Intelligent tax software) that some businesses operating in China are required to install.

The campaign is active since at least April 2020, but experts found some samples that suggest the attacks begun at least December 2016.

In October 2016, Chenkuo Technology announced a partnership with Aisino for “big data cooperation. However, it is not clear the role of the companies in the attacks.

According to the security firm Trustwave, a Chinese bank has forced at least two western companies to install tainted tax software.

Taxes

The two companies recently opened offices in China, they are a UK-based technology vendor and a major financial institution.

“Trustwave SpiderLabs has identified a new threat targeting corporations conducting business in China. The victim company is required to install software that will enable payment of local taxes.” reads the report published by Trustwave. “However, a backdoor is hidden within the software package that provides full remote command and control of the victim system, enabling arbitrary remote execution of code, and a remote shell.”

Experts noticed that the software covertly installs the hidden GoldenSpy backdoor (svm.exe) two hours after the tax software is installed.
The backdoor attempts to connect a Chinese domain that was used in past campaign to distribute the GoldenSpy, it allows to gather basic system information and continuously beacons to a remote server for “updates.” The “update” functionality enables GoldenSpy to remotely execute arbitrary code and implements remote command execution capability.

“Svm.exe gathers system information and exfiltrates it to www.ningzhidata[.]com on port 9006. The malware maintains persistence by monitoring itself and if the process is stopped, it will respawn.” continues the report. Additionally, it sends requests to a remote server to update itself (a method to execute additional operations), and it stands open as a backdoor into the environment enabling the command and control server to upload and execute arbitrary code or commands with System privileges.”

The backdoor is digitally signed by a company named Chenkuo Network Technology. Experts noticed that once installed GoldenSpy is independent of the tax software, this means that even installing the Intelligent Tax software, the GoldenSpy will continue to work.

The Svm.exe installs itself as two services named SVM and SVMM, and has two main functions:

  • ExeProtector that spawns off a separate thread to protect svm.exe and svmm.exe, it also allows the malware to achieve persistence.
  • Connects to a C2 that in turn sends additional commands

Trustwave experts are not able to determine the full scope of the GoldenSpy campaign and its real extent.

The report published by Trustwave includes recommendations to mitigate the risk of attacks and Indicators of Compromise (IoCs) for this campaign.

Pierluigi Paganini