Security Market Segment LS
Friday, 03 July 2020 05:35

Trustwave China malware study appears to have had favourable effect

Trustwave China malware study appears to have had favourable effect Image by moerschy from Pixabay

Chicago-based security firm Trustwave's findings on a new Windows malware family christened GoldenSpy, that it recently said was being embedded in tax payment software that a Chinese bank requires companies to install to do business with it in China, appears to have had a positive effect.

The company issued a second blog post on 30 June — which has not gained as wide publicity as the first did — saying that it had now found a new file being downloaded by the Aisino Intelligent Tax product which deleted the GoldenSpy malware.

In the initial report, Trustwave researcher Brian Hussey said the behaviour of an executable file that had been found in April had raised the suspicions of the research team. The executable was said to exhibit unusual behaviour and send system information to what Hussey described as a "suspicious Chinese domain," which was known to host other Windows malware.

Trustwave's client, a global technology vendor, had told the research firm this was part of the software that their bank in China required them to install. On opening operations in China, their local bank had asked them to install software known as Intelligent Tax made by the Golden Tax Department of Aisino Corporation in order to pay their local taxes.

In the new blog post, Hussey wrote: "On June 28, our Threat Fusion team identified a new file being downloaded by the Aisino Intelligent Tax product. But this time it had nothing to do with remote command and control of the victim. Rather, this new sample’s sole mission is to delete GoldenSpy and remove any trace it existed.

"Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself with the following command: cmd.exe /c del /q C:\Users\admin\AppData\Local\Temp\AWX.exe. Note the “/c” which will terminate the Windows Command-line interface after the operation is completed and “/d” which will delete without asking permission or giving any notification. Gone without a trace, or even knowing it was there."

But he said while the Trustwave SpiderLabs team was gratified to see its GoldenSpy research and analysis "result in such a rapid course reversal in the Golden Tax threat campaign, we are not so optimistic as to believe that this new development signifies a slowdown in threat actor activity".

"This threat is a clear and present danger, driven by incredibly smart and innovative adversaries. We will allow for the briefest of pats on the back and then return to hunting for the next threat."

Hussey said organisations must "continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate, and socially engineer their way into environments".

He added that the value of the GoldenSpy case-study was not the IOCs (indicators of compromise) provided, it was the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy.

Hussey's new blog post provides intricate details of how the uninstaller for GoldenSpy works.

Subscribe to Newsletter here


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.





Guest Opinion

Guest Interviews

Guest Research & Case Studies

Channel News