The US government has been forced to issue another warning to organizations doing business in China after reports of a potentially widespread attempt to remotely target them with powerful malware hidden in tax software.
Red flags were originally raised by Trustwave researchers, who warned back in June that they had discovered a backdoor dubbed GoldenSpy in the tax software domestic banks force foreign companies to install.
This hidden malware could not be removed and provided its authors with a means to remotely install additional malware.
A few days later Trustwave discovered another backdoor, GoldenHelper, which had been deployed in a similar way from 2018-19. The naming convention comes from China’s “Golden Tax” VAT scheme, which mandates that banks require all companies to download software from either Aisino or Baiwang to comply.
Researchers at the vendor had also discovered an attempt to cover-up the scandal: just days after it first broke news of GoldenSpy, Trustwave spotted an uninstaller designed to remove any trace of the backdoor.
Now the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued a Flash alert to US businesses warning that each new attempt to remove the malware requires attention from security teams, as the attackers try to evade network security rules.
“This reveals the actors’ high level of sophistication and operational awareness. The software service providers have not provided a statement acknowledging the software supply chain compromise,” it noted.
“The FBI assesses that the cyber-actors’ persistent attempts to silently remove the malware is not a sign of resignation. Rather, it is an effort to hide their capabilities. Organizations conducting business in China continue to be at risk from system vulnerabilities exploited by the tax software and similar supply chains.”