The Golden Tax Department and the Emergence of GoldenSpy Malware

Trustwave

Brian Hussey, VP of Cyber Threat Detection & Response

Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that a Chinese bank requires corporations to install to conduct business operations in China.

In April of 2020, the Trustwave SpiderLabs Threat Fusion Team conducted a Threat Hunt for a Managed Detection and Response (MDR) client. The company is a global technology vendor with significant government business in the US, Australia, UK, and recently opened offices in China. Our threat hunt uncovered several key findings important to the long-term security of their network, however, one key finding stood out as potentially impacting countless other businesses who currently operate in China. A full analysis of our findings is available for download in this report.

That finding was an executable file displaying highly unusual behavior and sending system information to a suspicious domain. Discussions with our client revealed that this was part of their bank's required tax software. The client informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.

As the Trustwave SpiderLabs team continued their investigation into the tax software, they found that it worked as advertised, but it also installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary (to include ransomware, trojans, or other malware). Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software's network infrastructure. Based on this, and several other factors, we determined this file to have sufficient characteristics to be malware. We've since fully reverse-engineered the files and named the family GoldenSpy.

To read the full report on our initial discovery, please visit this blog post. Since the initial research, we have since reported updates about an uninstaller package, how that uninstaller evolved, and precursor malware to GoldenSpy that we have called GoldenHelper.

We have prepared a detailed technical report on GoldenSpy that contains full incident details, including network and file system indicators of compromise (IOC's), malware reverse engineering analysis reports, historical network IOC's and known GoldenSpy variants, GoldenSpy threat hunting recommendations, including a custom YARA signature designed to identify unknown GoldenSpy variants, and remediation recommendations.

Trustwave SpiderLabs is still actively investigating and seeking out more telemetry on the GoldenSpy campaign. If you have any information about this activity or feel you may have been victimized by this attack, please reach out to the Trustwave SpiderLabs Threat Fusion Team at GoldenSpy@trustwave.com.

Sustaining Partners