Trustwave recently reported that an unnamed Chinese bank forced Western companies to install official tax software containing the GoldenSpy backdoor. The suspicious program is called Intelligent Tax, and it was developed by Aisino Corporation specifically to pay local taxes.
GoldenSpy has SYSTEM level permissions, which allows remote attackers to connect to the company's infected system, execute arbitrary commands, download and install other software. Malvar has existed since 2016 and it is unclear how many organizations it could compromise at the moment.
Interestingly, Trustwave analysts were not able to understand how the backdoor got into the product of Aisino Corporation. Expert theories have said that a backdoor could have been created by China's “government” hackers; secretly added to the program by a dishonest bank employee; or developed by one of the engineers at Aisino Corporation.
Just three days after the publication of the Trustwave report, company analysts discoveredthat now Aisino Corporat secretly places the AWX.exe file on all infected systems. As it turned out, this file was created specifically to remove the GoldenSpy backdoor and all traces of compromise, including registry entries, files and folders malvari. After completing the "cleaning", the uninstaller removes itself from the system.
At the same time, the backdoor is removed in a quiet manner through the Windows command line interface and is performed without any permissions or notifications. The uninstaller itself is obfuscated and clearly seeks to avoid detection, like the original backdoor. Moreover, it removes GoldenSpy by following exactly the removal instructions that the Trustwave experts included in their report.
“During our test, the GoldenSpy uninstaller was automatically downloaded and executed, and effectively eliminated the direct GoldenSpy threat. However, since the deployment of this uninstaller is carried out directly from the supposedly legitimate tax software, Intelligent Tax users should worry about what else can be downloaded and performed in a similar way, ”experts say Trustwave.
Researchers write that, despite the unexpected removal of a backdoor, it should still be regarded as a threat, and everyone who works with Intelligent Tax needs to check their systems for compromise.