Well Hidden Malware Threat Targets Corporations Operating in China
A new malware, named GoldenSpy, was found embedded in tax payment software. The software installation is a requirement of a Chinese bank to do business in Mainland China. The malware, which allows a threat actor to execute Windows commands or upload and execute any binary, was discovered by cyber security researchers at Trustwave SpiderLabs. It is well-hidden on infected systems and difficult to detect.
The malware was installed when business customers downloaded and installed a bank required payment software called Intelligent Tax. The payment software is produced by the Golden Tax Department of Aisino Corporation. Business customers were required by a local Chinese bank to download and use the software. Although the software does function as it should, it also installs a backdoor into customers’ systems, Trustwave found.
“Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure,” says the report by Trustwave.
The Chinese government has well established history of surveilling its citizens. The People Republic of China (PRC) has a particular interest in knowing the data that is contained on cell phones and other devices. In particular, when travelers come from outside the country through a border checkpoint, they may be required to install monitoring software on their phone. If they refuse, they will not be allowed entry into the country.
Furthermore, China’s laws allow the PRC to search networks software and hardware of any company that is operating a computer or similar device within the country. It may also require that the encryption keys either be handed over to the PRC or preferably that the company use encryption that has already been approved of by the PRC. This means that they have access to the decryption keys already. Finally, Chinese law makes it illegal to access internet without going through their filtering and monitoring software sometimes known as the Great Firewall of China. Formally called Project Golden shield by the PRC. Any data that is transmitted, stored, or otherwise processed in China should be considered subject to monitoring by the PRC.
The cyber security researchers saw that GoldenSpy installs two identical versions of itself. The malware installation process happens two hours after Intelligent Tax is finished with its installation process. The malware installs itself silently in the background without any notifications to the system administrator. When the installation processes finish, the software has granted itself SYSTEM level privileges and connected to a command and control server. Both copies of the malware launch at startup. If either one shuts down, the other can restart it. If one installation is deleted, the other can reinstall a new copy.
It remains unclear what the objective of the malware is. It could be to steal money, for corporate espionage, data exfiltration, or to move laterally across networks.
In mid-2016, Aisino Corporation announced a new ‘big data’ partnership with a company named Chenkuo Network Technology. This is the same company that digitally signs GoldenSpy and about the same time, GoldenSpy was first spotted in the wild.
“The scope of this campaign is not currently known. For our client, GoldenSpy was secretly embedded within the Aisino Intelligent tax software, but we cannot determine if this was targeted because of their access to vital data, or if this campaign impacts every company doing business in China. We have identified similar activity at a global financial institution, but do not yet have further telemetry into this campaign,” explained Trustwave VP of cyber-threat detection and response, Brian Hussey.
The Intelligent Tax software’s uninstall feature does not uninstall GoldenSpy.