Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Find More Malware Delivered via Chinese Tax Software

Trustwave’s security researchers have discovered another malware family delivered through tax software that Chinese banks require companies doing business in the country to use.

Trustwave’s security researchers have discovered another malware family delivered through tax software that Chinese banks require companies doing business in the country to use.

The discovery comes only weeks after the security firm published information on GoldenSpy, a backdoor delivered via the Intelligent Tax application produced by the Golden Tax Department of Aisino Corporation. Within days after the initial report was published, an uninstaller was pushed to compromised machines, to completely remove GoldenSpy.

Dubbed GoldenHelper, the newly identified piece of malware is delivered through the Golden Tax Invoicing Software (Baiwang Edition), which Chinese banks require their clients to install in order to pay taxes.

The Golden Tax software, which is linked to Aisino, can install without user consent, can escalate privileges to SYSTEM, and can download and install payloads on the system. Trustwave discovered that the program is sometimes deployed as a “stand-alone system provided by the bank,” and that in some cases organizations were provided with a Windows 7 system with the Golden Tax software on it.

GoldenHelper uses the SKPC.DLL to interact with Golden Tax, the WMISSSRV.DLL to escalate privileges, and a .DAT file with a random name to fetch and run arbitrary code with SYSTEM privileges. The malware’s main goal is to download and run taxver.exe, but Trustwave was not able to find a sample of the payload yet (although the malware might continue to be active on compromised systems).

While they could not confirm that taxver.exe is indeed malicious, the security researchers point out that legitimate software doesn’t bypass Windows protections to escalate privileges, doesn’t randomize its location or hide its name, doesn’t attempt to override DNS records, and doesn’t lack version negotiation protocols either.

The GoldenHelper campaign likely ran between 2018 and mid-2019, but appears to be defunct at the moment. Detection rates of samples used in the campaign increased by mid-2019, likely forcing operators to close shop, and the command and control (C&C) domains used by the dropper expired in early 2020.

Thus, Trustwave believes that GoldenHelper was likely the predecessor of GoldenSpy, although it is a different piece of malware. The latter appears to have started operation in April 2020, and to have shut down in late June, following public exposure.

“The GoldenHelper deployment mechanism may no longer be active, but we cannot say if the overall threat presented by taxver.exe is still operational, or not. The GoldenHelper campaign was directly followed by GoldenSpy, and […] we have no doubt that this threat will continue to evolve to a new methodology targeting businesses with operations in China,” Trustwave notes.

GoldenHelper and the tax software that drops it were produced by NouNou Technology, a subsidiary of Aisino, both owned by state company CASIC (China Aerospace Science & Industry Corporation Limited).

Related: ‘GoldenSpy’ Malware Uninstaller Delivered to Victims Following Public Exposure

Related: Attacker Installs Backdoor, Blocks Others From Exploiting Citrix ADC Vulnerability

Related: China-Linked Threat Actor Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.