A large multinational technology company received a nasty surprise recently when it was expanding its operations to China. The software that a local bank required the company to install in order to pay local taxes contained an advanced backdoor.
The warning, detailed in a report released Thursday, said the software package, called Intelligent Tax and produced by Beijing-based Aisino Corporation, worked as advertised. Behind the scenes, it also installed a separate program that allowed its creators to remotely run commands or software of their choice on the infected computer. It was also digitally signed by a Windows trusted certificate.
Researchers at Trustwave, the security firm that made the discovery, have named GoldenSpy. With system-level privileges for a Windows computer, it connects to a control server located at ningzhidata[.]com, a domain that Trustwave researchers said is known to harbor other variations of the malware. The backdoor included a variety of advanced features designed to gain deep, covert, and persistent access to infected computers.
According to Thursday’s post, those features include:
- GoldenSpy installs two identical versions of itself, both as persistent autostart services. If anyone stops working, their counterpart will reappear. Also, it uses a protector exe module that monitors the removal of any iteration of itself. If removed, it will download and run a new version. Indeed, this triple layer protection makes it extremely difficult to remove this file from an infected system.
- The uninstall feature of the Intelligent Tax software will not uninstall GoldenSpy. Let GoldenSpy run as an open back door in the environment, even after the tax software has been completely removed.
- GoldenSpy is not downloaded and installed for up to two full hours after the tax software installation process completes. When it is finally downloaded and installed, it does so silently, without notification on the system. This long delay is very unusual and is a method of hiding from the victim’s warning.
- GoldenSpy does not contact the tax software network infrastructure (i-xinnuo[.]com), rather it reaches ningzhidata[.]com, a domain known to host other variations of the GoldenSpy malware. After the first three attempts to contact your command and control server, it randomizes the beacon times. This is a known method of bypassing network security technologies designed to identify beaconing malware.
- GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of running any software on the system. This includes additional malware or Windows administrative tools to perform reconnaissance, create new users, escalate privileges, etc.
Thursday’s publication said Trustwave threat analysts identified “similar activity” at a second company, but don’t have many other details. The security firm has found variations of GoldenSpy dating back to the end of 2016, but the first indication that the backdoor was used in the wild is in April, when the campaign against the tech company began. Investigators still don’t know the scope, purpose, or the actors behind the threat. Trustwave did not identify the two companies that encountered GoldenSpy or the Chinese local bank that required the installation of Intelligent Tax. Representatives of Aisino Corporation did not immediately respond to an email seeking comment for this post.
