A previously uncharted malware, dubbed GoldenSpy, is embedded in tax payment software that a Chinese bank insists its corporate customers use to conduct business locally, a new report from Top 200 MSSP Trustwave said.
GoldenSpy, which is thought to have been planted inside the Aisino Intelligent Tax software, could negatively affect “countless” companies and foreign organizations operating in China, Trustwave’s SpiderLabs said. But for now, Trustwave’s researchers believe the bug has affected only one of its clients although they acknowledge many more outfits may be involved. Trustwave described the unnamed client as a “global technology vendor with significant government business” conducted in the U.S., Australia, the U.K. and in newly opened offices in China.
“We identified an executable file displaying highly unusual behavior and sending system information to a suspicious Chinese domain,” the researchers said. “ informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.”
According to Trustwave’s research, the malware installs a hidden backdoor that enables a remote adversary to execute Windows commands or to upload and execute any binary, including ransomware and trojans. At this point, the scope of the malware campaign hasn’t been pinned down nor has Trustwave conclusively determined if it was a targeted attack. The researcher said it has identified similar activity at a global financial institution but lacks enough data to know how far the infection may have spread. Trustwave’s researchers said the “scope, purpose, or actors behind the threat” are unknown.
The current GoldenSpy campaign began in earnest in April but variants have been found that date back to December, 2016, a few months after Chenkuo Technology announced a partnership with Aisino, the researchers said. Of note, GoldenSpy was digitally signed by Chenkuo and the signature used identical text for both the product and description fields. No evidence yet exists to tie Chenkuo or Aisino to the malware.
“We believe that every corporation operating in China or using the Aisino Intelligent Tax software should consider this incident a potential threat and should engage in threat hunting, containment, and remediation countermeasures,” the researchers said.