Just two days ago I asked if there was proof that TikTok was stealing data. Well, this isn’t proof but it surely indicts the Chinese government! NBC News reports that Trustwave has discovered tax software mandated by the Chinese government is actually sophisticated spyware. The following excerpt is from the Trustwave Report Highlights:
“Trustwave SpiderLabs has identified a new threat targeting corporations conducting business in China. The victim company is required to install software that will enable payment of local taxes. However, a backdoor is hidden within the software package that provides full remote command and control of the victim system, enabling arbitrary remote execution of code, and a remote shell.
• Through the course of this investigation, we discovered several variations of this backdoor. The first version has a compilation timestamp in 2016 but it does not appear to have been analyzed or categorized prior to 2020. As a service to the security community, we are providing full malware analysis as part of this report and we have named this malware family “GoldenSpy”.
• The hidden GoldenSpy backdoor (svm.exe) is covertly downloaded two hours after the Aisino Intelligent tax software installation is completed. It calls out to a Chinese domain with a reputation of distributing variations of GoldenSpy. Svm.exe exfiltrates basic system information and continuously beacons to a remote server for “updates.” This “update” functionality enables remote execution of arbitrary code and provides remote command execution capability.
• Trustwave SpiderLabs believes that this threat became active in April of 2020, when the ningzhidata[.]com domain first delivered the current version of GoldenSpy. The domain was registered on 22 September 2019.
• Trustwave SpiderLabs was engaged for a threat hunt shortly after our client was compromised, enabling us to disrupt the potential attack early in the kill chain. For this reason, we were not able to gather sufficient TTP’s to confidently attribute GoldenSpy to a specific threat actor group. Therefore, we will refrain from claiming attribution in this report.
• The full scope of this threat is currently unknown, but our client reported that installation of this software was required by their Chinese bank as a prerequisite to paying local Chinese taxes. We believe that all corporations with Chinese operations should investigate for presence of GoldenSpy and remediate if necessary”
Those interested in viewing the report can access it here.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group