Malware

GoldenHelper, a new malware delivered via Chinese tax software

Security researchers discovered another malware family delivered through tax software that some businesses operating in China are required to install.

Security researchers at Trustwave have discovered another malware family delivered through tax software that Chinese banks require companies operating in the country to install.

At the end of June, the same team of experts spotted GoldenSpy, a new backdoor, that is being distributed embedded in tax payment software (the Aisino Intelligent tax software) that some businesses operating in China are required to install.

The campaign is active since at least April 2020, but experts found some samples that suggest the attacks begun at least December 2016.

A few days after the publishing of the report, an uninstaller was pushed to compromised machines, to completely remove GoldenSpy implementing the removal procedure suggested by Trustwave in its initial report.

Now a new malware was delivered with the same mechanism, dubbed GoldenHelper, it was bundled in the Golden Tax Invoicing Software (Baiwang Edition), which Chinese banks require their clients to install.

The new malware is completely different from GoldenSpy, experts noticed that although it is called “Baiwang Edition”, GoldenHelper was digitally signed by NouNou Technologies, a subsidiary of Aisino Corporation.

“GoldenHelper malware utilizes sophisticated techniques to hide its delivery, presence, and activity. Some of the interesting techniques GoldenHelper uses include randomization of name whilst in transit, randomization of file system location, timestomping, IP-based DGA (Domain Generation Algorithm), UAC bypass and privilege escalation.” reads the analysis published by Trustwave.

“Our current telemetry shows that GoldenHelper is designed to drop a final payload, called taxver.exe. Trustwave SpiderLabs has not yet been able to obtain a copy of this file and is requesting assistance from our readers to contact us at goldenspy@trustwave.com if they have information on this file or a sample for us to analyze.”

Experts speculate GoldenHelper was active from January 2018 until July 2019. Then the same operator launched he GoldenSpy campaign in April 2020, and shut down the campaign in June 2020, after the publication of the Trustwave SpiderLabs report.

GoldenHelper interacts with the Golden Tax software throus the SKPC.DLL, which is launched by the sc.exe component of the tax software. 

Then the dll uses the WMISSSRV.DLL to escalate privileges, and a .DAT file with a random name to fetch and run arbitrary code with SYSTEM privileges.

RandomName.dat contacts the 3 hard-coded domains whose response is delivered in the format of an IP address, but each octet composing the IP address contains the hidden instructions for delivery of the final payload.

“Hidden within the IP address are instructions for where to download taxver.exe from, what to name it in transit, and where to save it on the victim file system. Each of the following domains will be resolved until one returns the expected IP address.” continues the analysis.

The malware attempt to download and execute taxver.exe, but researchers were not able to find a sample of the payload yet.

Researchers pointed out that legitimate software doesn’t bypass Windows protections to escalate privileges utilize UAC bypass, doesn’t randomize its location or hide its name, doesn’t lack version negotiation protocols, and doesn’t attempt to override DNS records.

Researchers published Indicators of Compromise (IoCs) for this threat.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, tax software)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US Treasury sanctioned the firm Funnull Technology as major cyber scam facilitator

The U.S. sanctioned Funnull Technology and Liu Lizhi for aiding romance scams that caused major…

28 minutes ago

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its…

3 hours ago

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

20 hours ago

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Google says China-linked group APT41 controlled malware via Google Calendar to target governments through a…

24 hours ago

New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.

GreyNoise researchers warn of a new AyySSHush botnet compromised over 9,000 ASUS routers, adding a…

1 day ago

Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry

The Czech government condemned China after linking cyber espionage group APT31 to a cyberattack on…

2 days ago