Researchers find ‘GoldenSpy’ malware hidden in Tax Software and spying on companies doing business in China
Researchers have found out that cybercriminals and/or state-backed hackers are using a unique method to spy on foreign firms doing business in China. A team of security researchers from Trustwave has found a new and unique advanced persistent threat (APT) campaign that aims to steal intelligence secrets from foreign companies operating in China.
Trustwave researchers first found the GoldenSpy malware when researching a newly discovered attack on a UK-based technology company. The researchers found that the malware was hidden in the tax payment software and designed to steal confidential information about the company.
Interestingly, the tax payment software is mandated by Chinese banks in order to conduct business in China. The unnamed company operated in defense space and had just opened its branch office in China. The GoldenSpy malware apparently spied on the UK company and fed information to its originator.
Brian Hussey, Trustwave’s vice president of cyber threat detection and response, says the attackers used a backdoor to take control of the UK company’s network. Trustwave says that the UK company is not the only one to be infected by GoldenSpy malware.
They [the attackers]could run Windows commands, create new users, move laterally and upload code to execute malware. They could also potentially use the network access to exfiltrate data. Trustwave
Brian Hussey, Trustwave’s vice president of cyber threat detection and response didn’t name China as behind the GoldenSpy malware but said that the malware indicated to more interested in intelligence gathering than financial gains.
The link of GoldenSpy malware to China is the fact that the Intelligent Tax Payment software it resides in is mandated by all Chinese banks for firms wanting to do business in China. Trustwave says that the malware continues to propagate even after deletion. GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. In addition, it uses an EXEProtector module that monitors for the deletion of either iteration of itself. If deleted, the malware will download and execute a new version. Trustwave believes that this triple-layer protection makes it exceedingly difficult to remove this kind of file from an infected system.
Trustwave also found it hard to uninstall Goldenspy malware. Even removing the Intelligent Tax software will not remove GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software gets fully removed.
Trustwave says it is researching more about the Goldenspy malware. If you are doing business in China you should not use the Intelligent Tax Payment software or use the software on an air-gapped independent machine.