GoldenHelper, a new malware delivered via Chinese tax software

Security researchers discovered another malware family delivered through tax software that some businesses operating in China are required to install.

Security researchers at Trustwave have discovered another malware family delivered through tax software that Chinese banks require companies operating in the country to install.

At the end of June, the same team of experts spotted GoldenSpy, a new backdoor, that is being distributed embedded in tax payment software (the Aisino Intelligent tax software) that some businesses operating in China are required to install.

The campaign is active since at least April 2020, but experts found some samples that suggest the attacks begun at least December 2016.

A few days after the publishing of the report, an uninstaller was pushed to compromised machines, to completely remove GoldenSpy implementing the removal procedure suggested by Trustwave in its initial report.

Now a new malware was delivered with the same mechanism, dubbed GoldenHelper, it was bundled in the Golden Tax Invoicing Software (Baiwang Edition), which Chinese banks require their clients to install.

The new malware is completely different from GoldenSpy, experts noticed that although it is called “Baiwang Edition”, GoldenHelper was digitally signed by NouNou Technologies, a subsidiary of Aisino Corporation.

“GoldenHelper malware utilizes sophisticated techniques to hide its delivery, presence, and activity. Some of the interesting techniques GoldenHelper uses include randomization of name whilst in transit, randomization of file system location, timestomping, IP-based DGA (Domain Generation Algorithm), UAC bypass and privilege escalation.” reads the analysis published by Trustwave.

“Our current telemetry shows that GoldenHelper is designed to drop a final payload, called taxver.exe. Trustwave SpiderLabs has not yet been able to obtain a copy of this file and is requesting assistance from our readers to contact us at goldenspy@trustwave.com if they have information on this file or a sample for us to analyze.”

Experts speculate GoldenHelper was active from January 2018 until July 2019. Then the same operator launched he GoldenSpy campaign in April 2020, and shut down the campaign in June 2020, after the publication of the Trustwave SpiderLabs report.

GoldenHelper interacts with the Golden Tax software throus the SKPC.DLL, which is launched by the sc.exe component of the tax software. 

Then the dll uses the WMISSSRV.DLL to escalate privileges, and a .DAT file with a random name to fetch and run arbitrary code with SYSTEM privileges.

RandomName.dat contacts the 3 hard-coded domains whose response is delivered in the format of an IP address, but each octet composing the IP address contains the hidden instructions for delivery of the final payload.

“Hidden within the IP address are instructions for where to download taxver.exe from, what to name it in transit, and where to save it on the victim file system. Each of the following domains will be resolved until one returns the expected IP address.” continues the analysis.

The malware attempt to download and execute taxver.exe, but researchers were not able to find a sample of the payload yet.

Researchers pointed out that legitimate software doesn’t bypass Windows protections to escalate privileges utilize UAC bypass, doesn’t randomize its location or hide its name, doesn’t lack version negotiation protocols, and doesn’t attempt to override DNS records.

Researchers published Indicators of Compromise (IoCs) for this threat.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, tax software)

[adrotate banner=”5″]

[adrotate banner=”13″]