A large, multinational technology company got a nasty surprise recently as it was expanding its operations to China. The software a local bank required the company to install so it could pay local taxes contained an advanced backdoor.
The cautionary tale, detailed in a report published Thursday, said the software package, called Intelligent Tax and produced by Beijing-based Aisino Corporation, worked as advertised. Behind the scenes, it also installed a separate program that covertly allowed its creators to remotely execute commands or software of their choice on the infected computer. It was also digitally signed by a Windows trusted certificate.
Researchers from Trustwave, the security firm that made the discovery, have dubbed the backdoor GoldenSpy. With system-level privileges to a Windows computer, it connected to a control server located at ningzhidata[.]com, a domain Trustwave researchers said is known to host other variations of the malware. The backdoor included a variety of advanced features designed to gain deep, covert, and persistent access to infected computers.
According to Thursday’s post, those features include:
- GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. Furthermore, it utilizes an exe protector module that monitors for the deletion of either iteration of itself. If deleted, it will download and execute a new version. Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system.
- The Intelligent Tax software’s uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software is fully removed.
- GoldenSpy is not downloaded and installed until a full two hours after the tax software installation process is completed. When it finally downloads and installs, it does so silently, with no notification on the system. This long delay is highly unusual and a method to hide from the victim’s notice.
- GoldenSpy does not contact the tax software’s network infrastructure (i-xinnuo[.]com), rather it reaches out to ningzhidata[.]com, a domain known to host other variations of GoldenSpy malware. After the first three attempts to contact its command and control server, it randomizes beacon times. This is a known method to avoid network security technologies designed to identify beaconing malware.
- GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of executing any software on the system. This includes additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.
Thursday’s post said that Trustwave threat analysts identified “similar activity” at a second company but don’t have many other details. The security firm has found variations of GoldenSpy that date back to late 2016, but the first indication the backdoor was actually used in the wild is in April, when the campaign against the tech company began. Researchers still don’t know the scope, purpose, or actors behind the threat. Trustwave didn’t identify the two companies that encountered GoldenSpy or the local Chinese bank that required that Intelligent Tax be installed. Representatives of Aisino Corporation didn’t immediately respond to an email seeking comment for this post.