Trustwave Specialists discoveredthat an unnamed Chinese bank has ordered at least two Western companies to install official tax software containing the GoldenSpy backdoor. The names of the affected companies were not disclosed, but it is known that they were a financial institution and a software provider that recently opened offices in China.
It all started when one of the clients turned to Trustwave for help, explaining that the Chinese bank demanded that the company install Intelligent Tax software developed by Aisino Corporation specifically for local taxes.
Trustwave experts found a backdoor in the tax program, paying attention to suspicious network requests coming from the client’s network. He analyzed the tax software of a Chinese bank, the researchers came to the conclusion that the program works as it should and really allows you to pay local taxes, but at the same time it installed a GoldenSpy hidden backdoor in the client’s system.
GoldenSpy has SYSTEM level permissions, which allows remote attackers to connect to the infected system, execute commands, download and install other software.
Many programs have remote access features that are commonly used for debugging, but Trustwave experts explain that this is not the case. Experts write that they revealed functionality that is usually used exclusively by malware, but is not found in legitimate programs. So, GoldenSpy has the following features:
- The backdoor prescribes two identical copies of itself in autorun. If one of the copies stops working, the double immediately restores it. In addition, the malware uses the exeprotector module, which tracks the removal of any of these “clones”. In case of deletion, a new copy of the malware is downloaded and executed. This three-layer protection makes it very difficult to delete a file from an infected system.
- Uninstalling Intelligent Tax does not remove GoldenSpy from the system, which continues to function as a hidden backdoor.
- GoldenSpy does not download or install within two hours after the installation of tax software is complete. When the backdoor installation finally happens, everything is done quietly, without any notifications.
- GoldenSpy does not contact the tax software infrastructure (i-xinnuo (.) Com), but refers to the domain ningzhidata (.) Com, which was previously used to host other versions of the GoldenSpy malware.
- After the first three attempts to establish communication with the management server, the malware randomizes the time of the next attempt to “get in touch”. This is a well-known way to avoid the attention of defense mechanisms.
Trustwave analysts have not been able to understand how the backdoor got into the product of Aisino Corporation. Theories of experts say that a backdoor could be created by “government” hackers in China; secretly added to the program by a dishonest bank employee; or created by one of the engineers at Aisino Corporation. That is, it is not yet clear whether the Chinese secret services could force the bank or Aisino Corporation to add malware to the official tax software (to spy on foreign companies), or whether it was an accident, and this is the work of ordinary hackers who pursue financial gain.
Researchers are currently urging all Western companies operating in China to deal with Intelligent Tax to consider this incident as a potential threat, urgently check their systems for compromise and take the necessary measures.