Malware Found In Chinese Banking Software

Uploaded on 2020-07-21 in INTELLIGENCE-Hot Spots-China, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Financial

Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that one Chinese bank requires corporations to install to conduct business operations in China.

In April of 2020, the Trustwave SpiderLabs Threat Fusion Team  conducted a proactive threat hunt on behalf of a clients. Trustwave discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.

China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.

Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared which directly negates the threat.

Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino.

The malware, while functionally different to GoldenSpy, has a similar delivery mechanism, according to Trustwave. It uses three DLL. files to interface with the Golden Tax software, bypass Windows security and escalate privileges and download and execute arbitrary code with system-level privileges.

It also uses multiple techniques to hide its presence and activity, including randomisation of names whilst in transit and of file system location, time stamping, IP-based Domain Generation Algorithm (DGA) and UAC bypass and privilege escalation. Active from January 2018 to July 2019, the malware delivered a final payload of “taxver.exe,” although the Trustwave team has yet to obtain a sample for analysis.

It’s not clear why GoldenHelper was shut down so abruptly. One guess is that its operators abandoned the project after detection rates jumped, from about three in January 2019 to as many as 29 by March.

Trustwave:    Trustwave:      Ars Technica:       Infosecuity:    Hitpoint Solution

You Might Also Read:

Bank Creates Its Own AI To Identify & Disintegrate Malware:

 

« Easing Out Of Lockdown: Why Should Cyber Security Remain High On The Agenda?
The British Government 'badly underestimated' Russian Political Interference »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Ground Labs

Ground Labs

Ground Labs is a security software company dedicated to making sensitive data discovery products that help organisations prevent sensitive data loss.

4N6

4N6

4N6 is a privately-owned firm founded with the goal of providing expert knowledge of computer forensics.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

Rocheston

Rocheston

Rocheston is an innovation company with cutting-edge research and development in emerging technologies such as Cybersecurity, Internet of Things, Big Data and automation.

WisePlant

WisePlant

WisePlant's portfolio of solutions and services includes process measurement, secure automation, industrial cybersecurity, functional safety and more.

Secure Ideas

Secure Ideas

Secure Ideas is focused on penetration testing and application security including web applications, web services and mobile applications.

ProofID

ProofID

ProofID is a specialist provider of Identity Access Management (IAM) solutions. We focus on the solving the complex needs of the modern enterprise.

ClassNK Consulting Service (NKCS)

ClassNK Consulting Service (NKCS)

ClassNK Consulting provides consulting services to the maritime industry with a focus on safety, security and compliance.

Allied Telesis

Allied Telesis

Allied Telesis delivers the secure, flexible, and agile solutions needed to meet the expectations of any industry’s critical mission.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

Logically.ai

Logically.ai

Logically combines artificial intelligence with expert analysts to tackle harmful and manipulative content at speed and scale.

8com

8com

8com is an established Managed Security Service Provider (MSSP) with over 75 employees and customers in over 40 countries.

Sentar

Sentar

Sentar is a cyber intelligence company, applying advanced analytics and systems engineering expertise to protect our national security by securing mission-critical assets.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.

RIoT Secure

RIoT Secure

RIoT Secure AB is a technology enabler within the IoT industry - created with a vision to ensure security technology exists in the foundations of software development for IoT solutions.

Endari

Endari

Endari specializes in building cybersecurity maturity within the operational DNA of early-stage startups and SMBs.