A recent publication by Trustwave cyber-security revealed that a Chinese bank compelled at least two Western companies to deploy malware-laid tax software on their systems. These firms are a technology/software vendor and a major financial institution headquartered in the United Kingdom, both of which have recently established offices in China.
Trustware explained that, in a discussion with their client, they revealed that the so-called “malware” has been part of the tax software required by the Chinese bank. It turned out that the local Chinese bank has told them to install a software kit named “Intelligent Tax” for paying local taxes. This software is produced by the Golden Tax Department of Aisino Corporation.
Trustwave, which supported the UK software vendor with cybersecurity services, stated that they managed to identify the malware after detecting unusual network requests emanating from its client’s network. The security firm said that the bank’s tax software operated as advertised and, indeed, allowed its client to pay local taxes, but still, it had a secret backdoor installed.
The GoldenSpy malware
The backdoor, codenamed by Trustwave GoldenSpy, ran with SYSTEM-level access, allowing for a remote intruder to perform Windows commands, or import other applications inside the compromised system.
As a matter of fact, nowadays, many types of software have remote-access features for debugging services. Nonetheless, Trustwave has reported to have found features which don’t have legal usage elsewhere and are most commonly used in malware.
For instance, the so-called GoldenSpy installs two identical versions of itself which run on autostart. In addition, the software uses an exeprotector element that tracks for the elimination of either of the installs. Once removed, a new edition will be downloaded and installed. As a result, it is incredibly difficult to delete this file from an infected system.
Furthermore, the uninstall feature of the Intelligent Tax program will not remove GoldenSpy. Even after the tax software is eliminated entirely, the questionable piece of software remains running as an open backdoor.
Another thing that looks suspicious in the behavior of GoldenSpy according to the security firm is that it gets installed in the system only after a full two hours have passed after the tax software installation process has completed. This is quite unusual for official software. What is more, when GoldenSpy finally gets installed, it does it without showing any system notification.
In addition to all this, GoldenSpy does not connect to the tax software’s network infrastructure (i-xinnuo[.]com) but, instead, reaches out to ningzhidata[.]com – a domain known to host other variations of malware with similar behavior.
But even though Trustwave was able to detect the hidden backdoor within the Aisino Intelligent Tax software, it could not determine how it got inside. The security company said it could not decide whether Chinese government hackers have created the malicious software, or it has been secretly incorporated by one of the bank’s red-doors employees, or it has been built by someone at the Aisino Corporation.
There was also a lack of clarification if the Chinese intelligence might or may not have pressured the bank or the Aisino Corporation to add malware to their official software to allow it to spy on a foreign company or this has just been a hacker’s attempt to have some personal or financial gain.
Nevertheless, while these concerns remain unanswered, Trustwave raises the alert for other companies doing business in China that could have installed the same software to take the published incident as a warning. They urge those companies that have the Aisino Intelligent Tax Program to take the necessary countermeasures mentioned in their technical report in order to avoid potential system exploitation.