Chinese tax software bundled with GoldenSpy backdoor targets western companies

A new malware dubbed GoldenSpy is being distributed embedded in tax payment software that some businesses operating in China are required to install.

GoldenSpy is a new backdoor that is being distributed embedded in tax payment software (the Aisino Intelligent tax software) that some businesses operating in China are required to install.

The campaign is active since at least April 2020, but experts found some samples that suggest the attacks begun at least December 2016.

In October 2016, Chenkuo Technology announced a partnership with Aisino for “big data cooperation. However, it is not clear the role of the companies in the attacks.

According to the security firm Trustwave, a Chinese bank has forced at least two western companies to install tainted tax software.

Taxes

The two companies recently opened offices in China, they are a UK-based technology vendor and a major financial institution.

“Trustwave SpiderLabs has identified a new threat targeting corporations conducting business in China. The victim company is required to install software that will enable payment of local taxes.” reads the report published by Trustwave. “However, a backdoor is hidden within the software package that provides full remote command and control of the victim system, enabling arbitrary remote execution of code, and a remote shell.”

Experts noticed that the software covertly installs the hidden GoldenSpy backdoor (svm.exe) two hours after the tax software is installed.
The backdoor attempts to connect a Chinese domain that was used in past campaign to distribute the GoldenSpy, it allows to gather basic system information and continuously beacons to a remote server for “updates.” The “update” functionality enables GoldenSpy to remotely execute arbitrary code and implements remote command execution capability.

“Svm.exe gathers system information and exfiltrates it to www.ningzhidata[.]com on port 9006. The malware maintains persistence by monitoring itself and if the process is stopped, it will respawn.” continues the report. Additionally, it sends requests to a remote server to update itself (a method to execute additional operations), and it stands open as a backdoor into the environment enabling the command and control server to upload and execute arbitrary code or commands with System privileges.”

The backdoor is digitally signed by a company named Chenkuo Network Technology. Experts noticed that once installed GoldenSpy is independent of the tax software, this means that even installing the Intelligent Tax software, the GoldenSpy will continue to work.

The Svm.exe installs itself as two services named SVM and SVMM, and has two main functions:

  • ExeProtector that spawns off a separate thread to protect svm.exe and svmm.exe, it also allows the malware to achieve persistence.
  • Connects to a C2 that in turn sends additional commands

Trustwave experts are not able to determine the full scope of the GoldenSpy campaign and its real extent.

The report published by Trustwave includes recommendations to mitigate the risk of attacks and Indicators of Compromise (IoCs) for this campaign.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X