By Brian Hussey, VP of Cyber Threat Detection and Response at Trustwave
Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that a Chinese bank requires corporations to install to conduct business operations in China.
In April of 2020, the Trustwave SpiderLabs Threat Fusion Team engaged a customer to conduct a Proactive
Threat Hunt. The company is a global technology vendor with significant government business in the US, Australia, UK, and recently opened offices in China. Our threat hunt produced several key findings important to the long-term security of their network, however, one key finding stood out as potentially impacting countless other businesses who currently operate in China. A full analysis of our findings is
available for download.
Investigation Details
We identified an executable file displaying highly unusual behavior and sending system information to a suspicious Chinese domain. Discussions with our client revealed that this was part of their bank’s required tax software. They informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.
As we continued our investigation into the tax software, we found that it worked as advertised, but it also installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary (to include ransomware, trojans, or other malware). Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure. Based on this, and several other factors (described below) we determined this file to have sufficient characteristics to be malware. We’ve since fully reverse-engineered the files and named the family GoldenSpy…Click here to find out more.