Organizations doing business in China have been warned that official looking software mandated for download by domestic banks may actually contain backdoor malware.
Trustwave explained in a new report that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation.
Although it worked as advertised, the software also contained a powerful backdoor that could not be removed, even if Intelligent Tax was uninstalled.
“It installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary (to include ransomware, Trojans or other malware),” explained Trustwave VP of cyber-threat detection and response, Brian Hussey.
“Basically, it was a wide-open door into the network with system-level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure.”
He admitted that it remains unclear whether the backdoor was added to the software unbeknownst to the local bank, or if the scheme is one that affects a wide range of businesses across China.
Although the current campaign began in April this year, GoldenSpy variants apparently date back to December 2016, a couple of months after Aisino announced a new ‘big data’ partnership with a company called Chenkuo Network Technology.
That same company digitally signs GoldenSpy using text, “certified software version upgrade service,” designed to legitimize the malware.
Neither Chinese firm had replied to Trustwave at the time of writing.
“We believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment and remediation countermeasures, as outlined in our technical report,” concluded Hussey.