The FBI has issued an alert to warn US organizations of the risk associated with the use of Chinese tax software that could be infected with malware.

The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.

The alert aims at informing US companies in the healthcare, chemical, and
finance sectors of cyber espionage activity by the Chinese government against their business and branches operating in China.

“Compromise of the pharmaceutical supply chain provides malicious actors opportunities for theft of US intellectual property, while public disclosure can cause cascading effects including loss of public trust in both chemical and healthcare institutions.” reads the alert. “As previously highlighted in FBI PIN 20200521-001 released on 21 May 2020 and the US Department of Homeland Security’s joint advisory with Britain’s National Cyber Security Centre, hackers continue to “actively target organizations that include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.”

At the end of June, the experts from Trustwave spotted GoldenSpy, a new backdoor, that is being distributed embedded in tax payment software (the Aisino Intelligent tax software) that some businesses operating in China are required to install.

The campaign is active since at least April 2020, but experts found some samples that suggest the attacks begun at least December 2016.

A few days after the publishing of the report, an uninstaller was pushed to compromised machines, to completely remove GoldenSpy implementing the removal procedure suggested by Trustwave in its initial report.

Anyway, researchers were able to discover another piece of malware, dubbed GoldenHelper, that was delivered with the same mechanism. GoldenHelper was bundled in the Golden Tax Invoicing Software (Baiwang Edition), which Chinese banks require their clients to install.

This second malware is completely different from GoldenSpy, experts noticed that although it is called “Baiwang Edition”, GoldenHelper was digitally signed by NouNou Technologies, a subsidiary of Aisino Corporation.

According to the alert, at least two Western organizations doing business in China would install the backdoor.

“As early as March 2019, at least two Western companies operating in China detected malware that was delivered through Chinese vendors that were responsible for releasing tax software upgrades following changes in 2018 to China’s value-added tax (VAT).” the alert continues.”The malware launched a backdoor into victim systems, which the FBI assesses likely allows cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network.”

FBI Agent

Feds believe that all foreign companies operating in China might be at risk due to the use of the software from Baiwang and Aisino, the two tax software service providers authorized to operate the value-added tax (VAT) system in China.

The alert also includes recommendations on how companies can mitigate the risk of hack intrusions. The FBI also published the indicators of compromise (IoC) for the threats.

Pierluigi Paganini