A new report by Trustwave’s Threat Fusion Team has uncovered a previously unknown malware targeting companies doing business in China. The malware was uncovered through a recent proactive threat hunt commissioned by an undisclosed client.
Named “GoldenSpy” by Trustwave, the newly discovered code is embedded in tax payment software required by a Chinese bank in order to conduct business in China. It’s possible that other companies doing business in China have also downloaded the same malware infected software, developed by the Aisino Corporation. A spokesman for Trustwave said that attempts to contact Aisino were unsuccessful.
Although the tax software appeared to operate as advertised, Trustwave researchers learned that the software installed a hidden backdoor that enabled remote execution of system-level Windows commands, including the ability to upload and execute ransomware, trojans, and additional malware. The malicious download occurred unannounced, approximately two hours after installation of the tax software. Two versions are installed. If either one stops running, it will leverage its counterpart. If deleted, it will download and execute a new version, thereby making it very difficult to eradicate. Uninstalling the tax software apparently does not uninstall the malware.
GoldenSpy’s file names suggest that it’s merely a conventional update service, but the tax software has its own update service completely unrelated to GoldenSpy. The malware does not contact the tax software’s network infrastructure. It instead contacts command and control servers at a third-party Chinese domain.
The scope of this campaign is not currently known. Trustwave SpiderLabs is actively investigating and seeking out more information. They can be contacted at [email protected]. A full technical report and additional resources are available at www.trustwave.com.
AVANT’s Ken Presti has conducted an in-depth interview with Trustwave’s Steve Pierce. Listen to the podcast, “AVANT Technology Insights with Ken Presti,” on Apple, Google, or Spotify. It can also be found at www.goavant.net/podcast.