Malware Found In Chinese Banking Software

Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that one Chinese bank requires corporations to install to conduct business operations in China.

In April of 2020, the Trustwave SpiderLabs Threat Fusion Team  conducted a proactive threat hunt on behalf of a clients. Trustwave discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.

China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.

Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared which directly negates the threat.

Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino.

The malware, while functionally different to GoldenSpy, has a similar delivery mechanism, according to Trustwave. It uses three DLL. files to interface with the Golden Tax software, bypass Windows security and escalate privileges and download and execute arbitrary code with system-level privileges.

It also uses multiple techniques to hide its presence and activity, including randomisation of names whilst in transit and of file system location, time stamping, IP-based Domain Generation Algorithm (DGA) and UAC bypass and privilege escalation. Active from January 2018 to July 2019, the malware delivered a final payload of “taxver.exe,” although the Trustwave team has yet to obtain a sample for analysis.

It’s not clear why GoldenHelper was shut down so abruptly. One guess is that its operators abandoned the project after detection rates jumped, from about three in January 2019 to as many as 29 by March.

Trustwave:    Trustwave:      Ars Technica:       Infosecuity:    Hitpoint Solution

You Might Also Read:

Bank Creates Its Own AI To Identify & Disintegrate Malware:

 

« Easing Out Of Lockdown: Why Should Cyber Security Remain High On The Agenda?
The British Government 'badly underestimated' Russian Political Interference »

Directory of Suppliers

WEBINAR: How to improve threat detection and hunting in the AWS Cloud

WEBINAR: How to improve threat detection and hunting in the AWS Cloud

Thursday, August 20, 2020 - Join SANS and AWS Marketplace to learn the exercise of applying MITRE’s ATT&CK Matrix to the AWS Cloud and how to enhance threat detection and hunting in an AWS environment

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

WEBINAR: How to achieve security visibility at scale in the AWS Cloud

WEBINAR: How to achieve security visibility at scale in the AWS Cloud

Thursday August 27, 2020: Join SANS and AWS Marketplace to learn how you can leverage solutions to create visibility at scale and allow you to do more with your data and improve your security posture.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

Tenable Network Security

Tenable Network Security

Tenable Network Security - The Rise of the Business-Aligned Security Executive. Is your security operation aligned with the overarching goals of the business?

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Watchcom Security Group

Watchcom Security Group

Watchcom is one of Norway's foremost suppliers of information security consultancy services.

NTP Software

NTP Software

NTP Software is a worldwide leader in the management and control of unstructured file data.

Pindrop Security

Pindrop Security

Pindrop solutions are leading the way to the future of voice by establishing the standard for security, identity, and trust for every voice interaction.

Calian Group

Calian Group

Calian is a diverse Canadian company offering professional services in areas including IT Consulting, Cyber Security and IT Products.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for technology professionals and operates a focused cybersecurity practice.

Dualog

Dualog

Dualog provides a maritime digital platform which ensures that services work reliably and securely onboard.

Connax

Connax

Connax's mission is to give simple and secure device integration with various IoT platforms, their applications and services.

Huntress Labs

Huntress Labs

Huntress provides managed threat detection and response services to uncover and address malicious footholds that slip past your preventive defenses.