As soon as security researchers uncovered the activity of GoldenSpy backdoor, the actor behind it fell back and delivered an uninstall tool to remove all traces of the malware.
GoldenSpy stayed hidden in software called Intelligent Tax, from Aisino Corporation, that a Chinese bank required its company customers to install for paying local taxes.
Double taxation on foreign companies
Following an investigation into suspicious behavior on systems belonging to one of their clients, researchers at Trustwave SpiderLabs found that Intelligent Tax behaved in a way that is unrelated to the GoldenSpy component.
Although the actor and the purposes behind GoldenSpy remain unclear, the researchers say that the component has characteristics similar to a coordinated advanced persistent (APT) campaign that focuses on foreign companies operating in China.
The backdoor runs with the highest privileges on the system, allowing it to execute any software, legitimate or not. The activity observed consisted of exfiltrating basic system information and beaconing a remote server for updates.
The Aisino software has its own update mechanism and did not remove the backdoor from the system when uninstalled. Moreover, GoldenSpy was not installed with Intelligent Tax but downloaded and deployed silently two hours later.
Furthermore, two identical versions were installed as autostart services (“svm.exe” and “svmm.exe”) for persistence on the computer. Should any of them stop, its counterpart starts running.
It’s worth noting that svm.exe is signed with a certificate from a company named Chenkuo Network Technology and its description translates to “certified software version upgrade service.”
An announcement in October 2016 informs of a partnership between Chenkuo and Aisino for “big data cooperation,” the researchers found. They admit that GoldenSpy could enable big data access and collection but have no clue if Chenkuo is actively and willingly involved in this operation.
An exeprotector module keeps an eye on both copies and retrieves a new version if any of the two copies are deleted. This shows that removing GoldenSpy is far from an easy task.
Trustwave found that the backdoor uses a different network infrastructure than Aisino’s tax software. It gets updates from a domain (“ningzhidata[.]com” – registered on September 22, 2019) that hosts other GoldenSpy variations.
“After the first three attempts to contact its command and control server, it randomizes beacon times. This is a known method to avoid network security technologies designed to identify beaconing malware,” Trustwave said in its first report.
This behavior was observed on systems from a global technology vendor, one of Trustwave’s clients that had opened their business in China recently. The researchers say that a highly similar incident occurred at a major financial institution.
Three days after exposing GoldenSpy behavior, Trustwave noticed a new component downloaded by the Aisino Intelligent Tax software that completely removed all trace of the backdoor.
The uninstaller deleted registry entries, GoldenSpy files, folders, and log data and then removed itself from the system just as silently as during the initial malware installation (no permission, no notification).
The researchers note that from June 28 Intelligent Tax no longer delivered GoldenSpy to infected machines. It fetched from 188.8.131.52:8090 a customized uninstaller called “AWX.Exe.”
Trustwave believes that the threat became active in April 2020, although they found versions with a timestamp from 2016 that have not been analyzed until this year.
Trustwave’s research uncovered that Chenkuo Technology, whose certificate signed svm.exe, announced in October 2016 a partnership with Aisino for “big data cooperation.” The security experts admit that GoldenSpy could enable big data access and collection but have no clue if Chenkuo is actively and willingly involved in this operation.
Their report emphasizes that the discovery of GoldenSpy generated plenty of questions that have no answer at the moment.
“We do not yet know the scope, purpose, or actors behind the threat. Has it impacted hundreds of customers, or just a few? Is it designed to compromise networks and exfiltrate data or was it just a very, very poorly designed updater? Is this a Nation-State sponsored threat campaign, was it planted by a malicious insider at the software design company, or even by an unknown adversary external to the company?”
What is clear, is that GoldenSpy violates compliance requirements from most regulatory agencies, allowing remote adversary control of the system. In the worst-case scenario, GoldenSpy is an APT campaign aimed at companies operating in China.