Security Market Segment LS
Sunday, 28 June 2020 18:54

Trustwave finds new Windows malware targeting firms doing business in China Featured

Trustwave finds new Windows malware targeting firms doing business in China Image by Gerd Altmann from Pixabay

Chicago-based security firm Trustwave claims to have found a new Windows malware family, which it has christened GoldenSpy, that is embedded in tax payment software that a Chinese bank requires companies to install to do business with it in China.

Trustwave researcher Brian Hussey said in a detailed blog post that the behaviour of an executable file that was found in April had raised the suspicions of the research team. A white paper on the topic is here and can be downloaded after registration.

The executable was said to exhibit unusual behaviour and send system information to what Hussey described as a "suspicious Chinese domain," which was known to host other Windows malware.

Trustwave's client, a global technology vendor, told the research firm this was part of the software that their bank in China required them to install. On opening operations in China, their local bank had asked them to install software known as Intelligent Tax made by the Golden Tax Department of Aisino Corporation in order to pay their local taxes.

The report has been released at a time when US-China tensions are high in the rundown to the US presidential elections in November.

Hussey said while software worked as advertised, it also installed a hidden backdoor that would allow a remote operator to execute Windows commands or to upload any execute any binary - which could have been ransomware, trojans or other malware.

"Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure," Hussey said. "Based on this, and several other factors, we determined this file to have sufficient characteristics to be malware. We’ve since fully reverse-engineered the files and named the family GoldenSpy."

The digital signature used for GoldenSpy was from a company named Chenkuo Network Technology and it used identical text for both product and description fields: 认证软件版本升级服务 – which translates to “certified software version upgrade service”.

Hussey said the name sounded like legitimate software, but the tax software already had its own updater service that functioned well in a way that was completely unrelated to GoldenSpy.

He cited the following characteristics which he termed suspicious:

  • Two identical versions of GoldenSpy got installed, both as persistent autostart services. If either stopped running, it would respawn its counterpart. Additionally, it used an exeprotector module that tracked deletion of either iteration. If deleted, it would download and execute a new version, making it exceedingly difficult to remove this file from an infected system.
  • The Intelligent Tax software’s uninstall feature did not uninstall GoldenSpy but left it running as an open backdoor into the environment, even after the tax software was fully removed.
  • GoldenSpy was not downloaded and installed until two hours after the tax software installation. The installation was quiet, with no notification. This long delay was highly unusual and a method to hide from the victim’s notice.
  • GoldenSpy did not contact the tax software’s network infrastructure (i-xinnuo[.]com), but instead reached out to ningzhidata[.]com, a domain registered on 22 September 2019 known to host other variations of GoldenSpy malware. After the first three attempts to contact its command and control server, it randomised beacon times. This is a known method to avoid network security technologies designed to identify beaconing malware.
  • GoldenSpy operated with SYSTEM level privileges, which meant it could run any software on the system, including additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.

Hussey said he had contacted Aisino Corporation and Nanjing Chenkuo Network Technology about these findings. No response had been received by the time the white paper was to be published.

"We recommend immediately removing any Aisino Tax software which includes mechanisms to download GoldenSpy. If this is not possible for business-criticality reasons, take steps to remove GoldenSpy specifically, hunt for the IOC’s provided in this report, and blacklist all malicious code and C2 servers from your network," Hussey added.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Web Analytics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News