Cybersecurity Firm Finds More Spyware Hidden In Chinese Tax Software
A malware campaign hiding backdoors in mandatory Chinese corporate tax software is far more extensive than at first thought, according to researchers from Trustwave. The vendor warned last month that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.
GoldenHelper, as researchers from security firm Trustwave dubbed the malware, hid inside the Golden Tax Invoicing software, which all companies registered in China are mandated to use to pay value-added taxes. The malware is able to bypass the User Account Control, the Windows mechanism that requires users to give their approval before software can install programs or make other system changes. Once that’s done, GoldenSpy can install modules with System-level privileges. Trustwave published its findings on Tuesday here.
GoldenHelper employs other tricks to conceal its malicious behavior and evade detection from endpoint protection systems and software. The tricks include:
- Randomly generated filenames
- Randomly generated “creation” and “last write” timestamps
- Attempted downloading of executable files using fake filenames with extensions such as .gif, .jpg, and .zip
- Hardcoded logic that uses domain lookup data to control download locations, the content downloaded, and where the content is placed
- Use of an IP-based domain-generation algorithm to change command-server locations on the fly
In some cases, banks deploy the Golden Tax software as stand-alone systems. Trustwave said it uncovered reports from several people who said they received computers running Windows 7 Home Edition that had the tax software and the hidden GoldenHelper preinstalled.
Now these same researchers are warning of “GoldenHelper,” another backdoor malware that was found in a program called Golden Tax Invoicing Software (Baiwang Edition), which Trustwave says is also developed by Aisino, through its subsidiary NouNou Technology. According to Trustwave, GoldenHelper is actually a precursor to GoldenSpy.
Strangely, there is a company called Baiwang that also develops Chinese VAT invoicing software, but Trustwave found no official connection between Golden Tax and that company, despite the allusion to a Baiwang Edition in the name of the software.
Chinese banks require their clients to use Golden Tax for value-added tax invoicing purposes, meaning companies may have had no choice but to install software capable of malicious activity in order to conduct business and pay taxes in China, Trustwave reports in a new company blog post published this morning. Intelligence Tax was likewise required by at least one Chinese bank, presenting clients with a similar dilemma.
GoldenHelper is not a final payload. Rather, it drops a secondary malware called taxver.exe, the purpose of which is not known. Trustwave notes that the malware “utilizes sophisticated techniques to hide its delivery, presence, and activity,” including obfuscation via fake and randomized filenames, timestomping (the randomization of timestamps), UAC bypass and privilege escalation.
In another odd twist, Trustwave found that Golden Tax software and the GoldenHelper malware hidden within may have been distributed to targets through Windows 7 computers (Home edition) that were shipped to clients with the software preinstalled. “This deployment mechanism is an interesting physical manifestation of a trojan horse,” states the blog post.
Because businesses that operate in China must, by government law, use the VAT tax invoice software, Trustwave “recommends that any system hosting third-party applications with a potential for adding a gateway into your environment, be isolated and heavily monitored with strict processes and procedures in their usage.”
Unlike the investigation into GoldenSpy, Trustwave researchers have yet to find samples of the final payload installed by GoldenHelper. The filename is taxver.exe. Trustwave asks that anyone who can provide a sample reach out to researchers at firstname.lastname@example.org.