Malware Found In Chinese Banking Software

Uploaded on 2020-07-21 in INTELLIGENCE-Hot Spots-China, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Financial

Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that one Chinese bank requires corporations to install to conduct business operations in China.

In April of 2020, the Trustwave SpiderLabs Threat Fusion Team  conducted a proactive threat hunt on behalf of a clients. Trustwave discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.

China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.

Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared which directly negates the threat.

Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino.

The malware, while functionally different to GoldenSpy, has a similar delivery mechanism, according to Trustwave. It uses three DLL. files to interface with the Golden Tax software, bypass Windows security and escalate privileges and download and execute arbitrary code with system-level privileges.

It also uses multiple techniques to hide its presence and activity, including randomisation of names whilst in transit and of file system location, time stamping, IP-based Domain Generation Algorithm (DGA) and UAC bypass and privilege escalation. Active from January 2018 to July 2019, the malware delivered a final payload of “taxver.exe,” although the Trustwave team has yet to obtain a sample for analysis.

It’s not clear why GoldenHelper was shut down so abruptly. One guess is that its operators abandoned the project after detection rates jumped, from about three in January 2019 to as many as 29 by March.

Trustwave:    Trustwave:      Ars Technica:       Infosecuity:    Hitpoint Solution

You Might Also Read:

Bank Creates Its Own AI To Identify & Disintegrate Malware:

 

« Easing Out Of Lockdown: Why Should Cyber Security Remain High On The Agenda?
The British Government 'badly underestimated' Russian Political Interference »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The Networking People (TNP)

The Networking People (TNP)

TNP supplies independent advice allowing large organisations to design, build and operate their own networks independently of the established telecoms companies.

Cyber Fusion Center - Maryville University

Cyber Fusion Center - Maryville University

Maryville University Cyber Fusion Center is a virtual lab for working on real-world cyber security challenges.

AVG Technologies

AVG Technologies

AVG is focused on providing home and business computer users with the most comprehensive and proactive protection against computer security threats.

Cyber Security & Information Systems Information Analysis Center (CSIAC)

Cyber Security & Information Systems Information Analysis Center (CSIAC)

CSIAC is chartered to leverage best practices and expertise from government, industry, and academia on cyber security and information technology.

DFLabs

DFLabs

DFlabs is a pioneer in Security Automation & Orchestration technology, leveraging your existing security products to dramatically reduce the response and remediation gap.

Infodas

Infodas

Infodas provides Cybersecurity and IT consulting / system integration services as well as a range of innovative Cybersecurity products to public sector and commercial clients.

PROOF

PROOF

PROOF is a Brazilian leader in cybersecurity. Our goal is to assist our Customers in managing security efficiently and in tune with business needs.

NetSecurity

NetSecurity

NetSecurity is a Brazilian company specializing in Information Security. We provide Managed Security Services (MSS), network security solutions and other specialist services.

ProSearch Partners

ProSearch Partners

ProSearch Partners are national talent acquisition specialists exclusively focussing on Technology and Digital talent including Cybersecurity, Data Analytics and Execs.

Cyber Security Cloud (CSC)

Cyber Security Cloud (CSC)

Cyber Security Cloud provides web application security services worldwide using world's leading cyber threat intelligence and AI technology.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

Neosec

Neosec

We’re reinventing API security. Understanding behavior requires data, analytics, and intelligence. Neosec brings XDR techniques to application security.

Schneider Downs

Schneider Downs

Schneider Downs & Co. provides accounting, tax and business advisory services through innovative thought leaders who deliver their expertise to meet the individual needs of each client.

Prembly

Prembly

Prembly are a compliance and security infrastructure company.

Dotsquares

Dotsquares

Dotsquares leverage the latest web and mobile technologies to build, grow and support your business.

Chorus

Chorus

Chorus are a leading Managed Security Service Provider (MSSP), and member of the Microsoft Intelligent Security Association (MISA), with three Microsoft Advanced Specialisations in security.