GoldenSpy backdoor found in a Chinese bank’s official tax software

A recent publication by Trustwave cyber-security revealed that a Chinese bank compelled at least two Western companies to deploy malware-laid tax software on their systems. These firms are a technology/software vendor and a major financial institution headquartered in the United Kingdom, both of which have recently established offices in China.

GoldenSpy backdoor found in a Chinese bank’s official tax software

Trustware explained that, in a discussion with their client, they revealed that the so-called “malware” has been part of the tax software required by the Chinese bank.  It turned out that the local Chinese bank has told them to install a software kit named “Intelligent Tax” for paying local taxes. This software is produced by the Golden Tax Department of Aisino Corporation.

Trustwave, which supported the UK software vendor with cybersecurity services, stated that they managed to identify the malware after detecting unusual network requests emanating from its client’s network.  The security firm said that the bank’s tax software operated as advertised and, indeed, allowed its client to pay local taxes, but still, it had a secret backdoor installed.

The GoldenSpy malware

The backdoor, codenamed by Trustwave GoldenSpy, ran with SYSTEM-level access, allowing for a remote intruder to perform Windows commands, or import other applications inside the compromised system.

GoldenSpy backdoor found in a Chinese bank’s official tax software

As a matter of fact, nowadays, many types of software have remote-access features for debugging services. Nonetheless, Trustwave has reported to have found features which don’t have legal usage elsewhere and are most commonly used in malware.

For instance, the so-called GoldenSpy installs two identical versions of itself which run on autostart.  In addition, the software uses an exeprotector element that tracks for the elimination of either of the installs. Once removed, a new edition will be downloaded and installed. As a result, it is incredibly difficult to delete this file from an infected system.

Furthermore, the uninstall feature of the Intelligent Tax program will not remove GoldenSpy. Even after the tax software is eliminated entirely, the questionable piece of software remains running as an open backdoor.

Another thing that looks suspicious in the behavior of GoldenSpy according to the security firm is that it gets installed in the system only after a full two hours have passed after the tax software installation process has completed. This is quite unusual for official software. What is more, when GoldenSpy finally gets installed, it does it without showing any system notification.

In addition to all this, GoldenSpy does not connect to the tax software’s network infrastructure (i-xinnuo[.]com) but, instead, reaches out to ningzhidata[.]com – a domain known to host other variations of malware with similar behavior.

But even though Trustwave was able to detect the hidden backdoor within the Aisino Intelligent Tax software, it could not determine how it got inside. The security company said it could not decide whether Chinese government hackers have created the malicious software, or it has been secretly incorporated by one of the bank’s red-doors employees, or it has been built by someone at the Aisino Corporation.

There was also a lack of clarification if the Chinese intelligence might or may not have pressured the bank or the Aisino Corporation to add malware to their official software to allow it to spy on a foreign company or this has just been a hacker’s attempt to have some personal or financial gain.

Nevertheless, while these concerns remain unanswered, Trustwave raises the alert for other companies doing business in China that could have installed the same software to take the published incident as a warning.  They urge those companies that have the Aisino Intelligent Tax Program  to take the necessary countermeasures mentioned in their technical report in order to avoid potential system exploitation.

blank

About the author

blank

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment