GoldenSpy backdoor installed by tax software gets remotely removed

Posted by & filed under Security Alerts.

As soon as security researchers uncovered the activity of GoldenSpy backdoor, the actor behind it fell back and delivered an uninstall tool to remove all traces of the malware.

GoldenSpy stayed hidden in software called Intelligent Tax, from Aisino Corporation, that a Chinese bank required its company customers to install for paying local taxes.

Double Taxation on Foreign Companies

Following an investigation into suspicious behavior on systems belonging to one of their clients, researchers at Trustwave SpiderLabs found that Intelligent Tax behaved in a way that is unrelated to the GoldenSpy component.

Although the actor and the purposes behind GoldenSpy remain unclear, the researchers say that the component has characteristics similar to a coordinated advanced persistent (APT) campaign that focuses on foreign companies operating in China.

The backdoor runs with the highest privileges on the system, allowing it to execute any software, legitimate or not. The activity observed consisted of exfiltrating basic system information and beaconing a remote server for updates.

The Aisino software has its own update mechanism and did not remove the backdoor from the system when uninstalled. Moreover, GoldenSpy was not installed with Intelligent Tax but downloaded and deployed silently two hours later.

Furthermore, two identical versions were installed as autostart services (“svm.exe” and “svmm.exe”) for persistence on the computer. Should any of them stop, its counterpart starts running.

It’s worth noting that svm.exe is signed with a certificate from a company named Chenkuo Network Technology and its description translates to “certified software version upgrade service.”

An announcement in October 2016 informs of a partnership between Chenkuo and Aisino for “big data cooperation,” the researchers found. They admit that GoldenSpy could enable big data access and collection but have no clue if Chenkuo is actively and willingly involved in this operation.

An exeprotector module keeps an eye on both copies and retrieves a new version if any of the two copies are deleted. This shows that removing GoldenSpy is far from an easy task.

Trustwave found that the backdoor uses a different network infrastructure than Aisino’s tax software. It gets updates from a domain (“ningzhidata[.]com” – registered on September 22, 2019) that hosts other GoldenSpy variations.

“After the first three attempts to contact its command and control server, it randomizes beacon times. This is a known method to avoid network security technologies designed to identify beaconing malware,” Trustwave said in its first report.

This behavior was observed on systems from a global technology vendor, one of Trustwave’s clients that had opened their business in China recently. The researchers say that a highly similar incident occurred at a major financial institution.

Clean-up Time

Three days after exposing GoldenSpy behavior, Trustwave noticed a new component downloaded by the Aisino Intelligent Tax software that completely removed all trace of the backdoor.

The uninstaller deleted registry entries, GoldenSpy files, folders, and log data and then removed itself from the system just as silently as during the initial malware installation (no permission, no notification).

“In our testing, this GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment, however, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner” – Trustwave

The researchers note that from June 28 Intelligent Tax no longer delivered GoldenSpy to infected machines. It fetched from a customized uninstaller called “AWX.Exe.”

Trustwave believes that the threat became active in April 2020, although they found versions with a timestamp from 2016 that have not been analyzed until this year.

Trustwave’s research uncovered that Chenkuo Technology, whose certificate signed svm.exe, announced in October 2016 a partnership with Aisino for “big data cooperation.” The security experts admit that GoldenSpy could enable big data access and collection but have no clue if Chenkuo is actively and willingly involved in this operation.

Their report emphasizes that the discovery of GoldenSpy generated plenty of questions that have no answer at the moment.

“We do not yet know the scope, purpose, or actors behind the threat. Has it impacted hundreds of customers, or just a few? Is it designed to compromise networks and exfiltrate data or was it just a very, very poorly designed updater? Is this a Nation-State sponsored threat campaign, was it planted by a malicious insider at the software design company, or even by an unknown adversary external to the company?”

What is clear, is that GoldenSpy violates compliance requirements from most regulatory agencies, allowing remote adversary control of the system. In the worst-case scenario, GoldenSpy is an APT campaign aimed at companies operating in China.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.