Threat Watch

More Malware Discovered in Chinese Tax Software

Last month, users were warned that the Intelligent Tax software product by the Aisino Corporation was found to have the GoldenSpy backdoor hidden within it. Now it appears that GoldenSpy was not the only malware hidden within Chinese corporate tax software. It was discovered that the GoldenHelper malware was found in the Golden Tax Invoicing Software from Baiwang. While GoldenHelper is functionally different from GoldenSpy, both share a similar delivery method. They utilize three DLLs to interface with Golden Tax Software: bypass Windows security, escalate privileges, and download and execute arbitrary code. GoldenHelper also makes use of a number of means of obfuscation to evade detection, including name randomization while in transit. From January 2018 to July 2019 GoldenHelper was found to install a final payload named “taxver.exe,” though no samples have yet to be analyzed at this time.

ANALYST NOTES

China’s banks require all companies doing business within China to utilize tax software from either Aisino or Baiwang to comply with tax security regulations. This indicates that this campaign either is being run by the Chinese government or has the blessing of the Chinese government. Defending against malicious software when that software comes from what are supposed to be “legitimate trusted sources” becomes difficult, especially when it is a government requirement to utilize that software. While an infection like this begins on the initially infected machine any device on a corporate network that becomes infected puts the entire network at risk. Close monitoring of network activity as well as unusual activity from endpoints are one of the best means of defending against a well-planned and sophisticated attack like this one. Being able to identify and quarantine machines early can minimize the damage done in a campaign such as this one. More information on this incident can be found at https://www.infosecurity-magazine.com/news/more-malware-hidden/