Three weeks ago, security researchers exposed a sinister piece of malware lurking within tax software that the Chinese government requires companies to install. There is now evidence that the high-stealth espionage campaign was preceded by a separate piece of malware that employed equally sophisticated means to infect taxpayers in China.
GoldenHelper, as researchers at the security firm Trustwave called malware, hid within the Golden Tax Invoicing software, which all companies registered in China are mandated to use to pay value-added tax. Malware can bypass User Account Control, the Windows mechanism that requires users to give their approval before the software can install programs or make other changes to the system. Once this is done, GoldenSpy can install modules with system level privileges. Trustwave published its findings Tuesday here.
GoldenHelper uses other tricks to hide its malicious behavior and evade detection of endpoint protection systems and software. The tricks include:
- Randomly generated file names
- Randomly generated “create” and “last write” timestamps
- I tried to download executable files using fake file names with extensions like .gif, .jpg and .zip
- Encrypted logic that uses domain search data to control download locations, downloaded content, and where content is located
- Using an IP-based domain generation algorithm to change command server locations on the fly
In some cases, banks implement Golden Tax software as separate systems. Trustwave said it uncovered reports from several people who said they received Windows 7 Home Edition computers that had pre-installed tax software and the hidden GoldenHelper.
The discovery comes three weeks after Trustwave exposed GoldenSpy, a piece of an advanced spyware company that researchers found installed on the network of a large multinational technology company that had just opened offices in China. Like GoldenHelper, GoldenSpy employed the same installation modus operandi, through the Golden Tax Project.
Trustwave said GoldenSpy had been active from April until last month, when the campaign was abruptly closed following the report from the security company. GoldenHelper was active from January 2018 to July 2019, a finding that shows that tax software has been harboring malware for longer than previously known. GoldenHelper was digitally signed with a Windows trust certificate issued to NouNou Technologies, a subsidiary of Aisino Corporation, the same company responsible for tax software with the embedded GoldenSpy malware.
The tax software that GoldenHelper houses was produced by a company known as Baiwang. Baiwang and Aisino are the only two official providers of the billing systems. The latest discovery shows that GoldenSpy was not a one-off campaign, but rather one that used at least one other piece of malware for a longer period of time than previously known.
It is unclear why GoldenHelper was closed so abruptly. One guess is that its operators abandoned the project after detection rates increased, from about three in January 2019 to 29 through March. Below is a timeline that tracks the malware history:
Trustwave
Unlike the GoldenSpy research, Trustwave researchers have yet to find samples of the final payload installed by GoldenHelper. The file name is taxver.exe. Trustwave requests that anyone who can provide a sample contact the researchers at [email protected].
