Trustwave researcher Brian Hussey said in a detailed blog post that the behaviour of an executeble file that was found in April had raised the suspicions of the research team. A white paper on the topic is here and can be downloaded after registration.
The executable was said to exhibit unusual behaviour and send system information to what Hussey described as a "suspicious Chinese domain," which was known to host other Windows malware.
Trustwave's client, a global technology vendor, told the research firm this was part of the software that their bank in China required them to install. On opening operations in China, their local bank had asked them to install software known as Intelligent Tax made by the Golden Tax Department of Aisino Corporation in order to pay their local taxes.
The report has been released at a time when US-China tensions are high in the rundown to the US presidential elections in November.
"Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure," Hussey said. "Based on this, and several other factors, we determined this file to have sufficient characteristics to be malware. We’ve since fully reverse-engineered the files and named the family GoldenSpy."
The digital signature used for GoldenSpy was from a company named Chenkuo Network Technology and it used identical text for both product and description fields: 认证软件版本升级服务 – which translates to “certified software version upgrade service”.
Hussey said the name sounded like legitimate software, but the tax software already had its own updater service that functioned well in a way that was completely unrelated to GoldenSpy.
He cited the following characteristics which he termed suspicious:
- Two identical versions of GoldenSpy got installed, both as persistent autostart services. If either stopped running, it would respawn its counterpart. Additionally, it used an exeprotector module that tracked deletion of either iteration. If deleted, it would download and execute a new version, making it exceedingly difficult to remove this file from an infected system.
- The Intelligent Tax software’s uninstall feature did not uninstall GoldenSpy but left it running as an open backdoor into the environment, even after the tax software was fully removed.
- GoldenSpy was not downloaded and installed until two hours after the tax software installation. The installation was quiet, with no notification. This long delay was highly unusual and a method to hide from the victim’s notice.
- GoldenSpy did not contact the tax software’s network infrastructure (i-xinnuo[.]com), but instead reached out to ningzhidata[.]com, a domain registered on 22 September 2019 known to host other variations of GoldenSpy malware. After the first three attempts to contact its command and control server, it randomised beacon times. This is a known method to avoid network security technologies designed to identify beaconing malware.
- GoldenSpy operated with SYSTEM level privileges, which meant it could run any software on the system, including additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.
Hussey said he had contacted Aisino Corporation and Nanjing Chenkuo Network Technology about these findings. No response had been received by the time the white paper was to be published.
"We recommend immediately removing any Aisino Tax software which includes mechanisms to download GoldenSpy. If this is not possible for business-criticality reasons, take steps to remove GoldenSpy specifically, hunt for the IOC’s provided in this report, and blacklist all malicious code and C2 servers from your network," Hussey added.