Malware Found In Chinese Banking Software

Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that one Chinese bank requires corporations to install to conduct business operations in China.

In April of 2020, the Trustwave SpiderLabs Threat Fusion Team  conducted a proactive threat hunt on behalf of a clients. Trustwave discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.

China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.

Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared which directly negates the threat.

Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino.

The malware, while functionally different to GoldenSpy, has a similar delivery mechanism, according to Trustwave. It uses three DLL. files to interface with the Golden Tax software, bypass Windows security and escalate privileges and download and execute arbitrary code with system-level privileges.

It also uses multiple techniques to hide its presence and activity, including randomisation of names whilst in transit and of file system location, time stamping, IP-based Domain Generation Algorithm (DGA) and UAC bypass and privilege escalation. Active from January 2018 to July 2019, the malware delivered a final payload of “taxver.exe,” although the Trustwave team has yet to obtain a sample for analysis.

It’s not clear why GoldenHelper was shut down so abruptly. One guess is that its operators abandoned the project after detection rates jumped, from about three in January 2019 to as many as 29 by March.

Trustwave:    Trustwave:      Ars Technica:       Infosecuity:    Hitpoint Solution

You Might Also Read:

Bank Creates Its Own AI To Identify & Disintegrate Malware:

 

« Easing Out Of Lockdown: Why Should Cyber Security Remain High On The Agenda?
The British Government 'badly underestimated' Russian Political Interference »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

4Secure

4Secure

4Secure is a cyber security company providing services and solutions to counter and respond to the most sophisticated and targeted cyber threats.

TenIntelligence

TenIntelligence

TenIntelligence provides due diligence, brand protection and fraud investigation services including digital forensics.

Federal Office For Information Security (BSI)

Federal Office For Information Security (BSI)

The BSI (Bundesamt fur Sicherheit in der Informationstechnik) is the federal cyber security agency and the chief architect of secure digitalisation in Germany.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

Pareteum

Pareteum

Pareteum is a leading Global provider of mobile networking software and services. Our mission is to provide a single solution to the problem of fully enabling and securing the Mobile Cloud.

Sayata Labs

Sayata Labs

Sayata delivers a streamlined solution for processing cyber policies. Increase profitability with an easy and intuitive platform.

NetNordic Group

NetNordic Group

NetNordic is a Nordic system integrator focusing on solutions and services in the area of networking, smart data centers, cybersecurity, and unified communication.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

SubRosa Cyber Solutions

SubRosa Cyber Solutions

SubRosa Cyber Solutions solves its clients’ most tenacious information security, risk and compliance challenges through a multitude of information technology services and expertise.

Datrix

Datrix

Datrix is a leading Smart Infrastructure and Cyber Security solutions provider. We deliver critical networking, communications and cyber security solutions to public and private sector organisations.

DEFENTEK - National Security Informatics

DEFENTEK - National Security Informatics

Defentek (aka National Security Informatics) is a technology consortium covering a broad spectrum of intelligence computing solutions and interception technologies.

IPKeys Technologies

IPKeys Technologies

IPKeys delivers innovative cybersecurity and technology solutions focused on helping the federal government reduce risk and protect the US from cyberattacks.

Sectyne

Sectyne

Sectyne is a full-stack cyber consultancy committed to providing tailored services, advisory consultations, and training.

Cytek

Cytek

Cytek is a leading provider of cybersecurity and HIPAA compliance for dental practices and other industries.

Washington Technology Solutions (WaTech)

Washington Technology Solutions (WaTech)

WaTech operates the state’s core technology infrastructure – the central network and data center, provides strategic direction for cybersecurity and protects state networks from growing cyber threats.