GoldenSpy: Chapter Two – The Uninstaller


Saturday, July 4th, 2020 |

In April of 2020, Trustwave SpiderLabs’ Threat Fusion Team performed a ‘Proactive Threat Hunt’ for a global technology vendor with significant business in the US, Australia, the UK, and had begun business in China. While their investigation yielded many important findings, one stood out that would have a massive impact for other businesses who currently operate within China. What they found was an executable file that displayed highly unusual behavior and was sending system information to a suspicious Chinese domain. Upon further investigation and conversations with their client, Trustwave was able to deduce that the suspicious behavior was from a newly installed piece of software on their client’s systems, and that this software was required by their local Chinese bank as a way of paying local taxes. The software in question is called ‘Intelligent Tax’ and is produced by the Golden Tax Department of Aisino Corporation.


Upon further investigation, Trustwave found that the software worked as intended but also installed a hidden backdoor on the system that enabled a remote threat actor to execute Windows commands or to upload and execute any binary, including ransomware, trojans, or other malware. Trustwave concluded that this backdoor allows a ‘wide-open door into the network’ with SYSTEM level privileges and connected to a command and control server that is separate from the tax software’s network infrastructure. Based on these findings, as well as some other factors described below, Trustwave has declared this file to be malware. They have since reverse-engineered the malware and named the family ‘GoldenSpy.’


The GoldenSpy is digitally signed by another company based in China, Chenkuo Network Technology, and the signature itself used identical text for both the product and description fields: 认证软件版本升级服务, which translates to “certified software version upgrade service.” While the name and description may sound like legitimate software, the tax software in question already contains a legitimate updater service that functions as intended and in a way that is completely unrelated to GoldenSpy.

As previously mentioned, some other aspects of the malware include:

  • The GoldenSpy malware installs two identical versions of itself, both as persistent autostart services. If either version stops running, the running version will respawn its counterpart. Furthermore, it can detect the deletion of either version of itself; if one copy is deleted, it will download and execute a new version. This alone makes the malware extremely difficult to remove.
  • If a user were to uninstall the Intelligent Tax software using the software’s built-in uninstaller, the backdoor will not be removed. GoldenSpy remains as an open backdoor into the system environment, even after the tax software is fully removed.
  • The GoldenSpy malware waits a full two hours after the initial installation of the tax software before downloading and installing itself. When the download and installation of the malware does take place, it happens in a quiet and secretive manner, without any system notifications.
  • GoldenSpy does not contact the tax software’s network infrastructure, i-xinnuo[.]com, but rather it reaches out to a domain known to host other variations of the GoldenSpy malware, ningzhidata[.]com. It will then randomize beacon times following the first three attempts to contact its C&C server.
  • The malware itself operates at SYSTEM level privileges, making it highly dangerous and capable of executing any software on the system. This can include additional malware or Windows administrative tools to conduct reconnaissance, create new users, exfiltrate data, etc.

While the full scope of the campaign is still not known, the above factors have led Trustwave to conclude that the GoldenSpy malware is a well-hidden and powerful backdoor that allows a remote actor full remote command and control of the victim’ system. For Trustwave’s client mentioned at the beginning of this article, GoldenSpy was secretly embedded within the Aisino Intelligent tax software, but they were unable to determine whether this is standard amongst all entities utilizing the tax software, or if the client in question was targeted specifically due to their access to sensitive information. Trustwave has identified similar activity at a ‘global financial institution,’ but claim they do not have enough information to positively conclude another instance of GoldenSpy.

Although the current GoldenSpy campaign began in April of this year, Trustwave’s cyber threat analysts discovered variations of the GoldenSpy malware that date back to December if 2016. It’s interesting to note that the Chenkuo Technology’s website announced a partnership with Aisino in October of 2016, two months prior to the first instance of the GoldenSpy malware.

The full scope, purpose, or threat actors is not yet known about this new malware campaign, nor is it known whether Chenkuo Technology or Aisino are active and/or willing participants or the extent of their involvement other than what has been previously discussed in this article.

Trustwave urges that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this malware family to be a potential threat and should engage in threat hunting, containment, and remediation countermeasures.


Sources:

Share this: