Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Find More Malware Delivered via Chinese Tax Software

Trustwave’s security researchers have discovered another malware family delivered through tax software that Chinese banks require companies doing business in the country to use.

Trustwave’s security researchers have discovered another malware family delivered through tax software that Chinese banks require companies doing business in the country to use.

The discovery comes only weeks after the security firm published information on GoldenSpy, a backdoor delivered via the Intelligent Tax application produced by the Golden Tax Department of Aisino Corporation. Within days after the initial report was published, an uninstaller was pushed to compromised machines, to completely remove GoldenSpy.

Dubbed GoldenHelper, the newly identified piece of malware is delivered through the Golden Tax Invoicing Software (Baiwang Edition), which Chinese banks require their clients to install in order to pay taxes.

The Golden Tax software, which is linked to Aisino, can install without user consent, can escalate privileges to SYSTEM, and can download and install payloads on the system. Trustwave discovered that the program is sometimes deployed as a “stand-alone system provided by the bank,” and that in some cases organizations were provided with a Windows 7 system with the Golden Tax software on it.

GoldenHelper uses the SKPC.DLL to interact with Golden Tax, the WMISSSRV.DLL to escalate privileges, and a .DAT file with a random name to fetch and run arbitrary code with SYSTEM privileges. The malware’s main goal is to download and run taxver.exe, but Trustwave was not able to find a sample of the payload yet (although the malware might continue to be active on compromised systems).

While they could not confirm that taxver.exe is indeed malicious, the security researchers point out that legitimate software doesn’t bypass Windows protections to escalate privileges, doesn’t randomize its location or hide its name, doesn’t attempt to override DNS records, and doesn’t lack version negotiation protocols either.

The GoldenHelper campaign likely ran between 2018 and mid-2019, but appears to be defunct at the moment. Detection rates of samples used in the campaign increased by mid-2019, likely forcing operators to close shop, and the command and control (C&C) domains used by the dropper expired in early 2020.

Thus, Trustwave believes that GoldenHelper was likely the predecessor of GoldenSpy, although it is a different piece of malware. The latter appears to have started operation in April 2020, and to have shut down in late June, following public exposure.

Advertisement. Scroll to continue reading.

“The GoldenHelper deployment mechanism may no longer be active, but we cannot say if the overall threat presented by taxver.exe is still operational, or not. The GoldenHelper campaign was directly followed by GoldenSpy, and […] we have no doubt that this threat will continue to evolve to a new methodology targeting businesses with operations in China,” Trustwave notes.

GoldenHelper and the tax software that drops it were produced by NouNou Technology, a subsidiary of Aisino, both owned by state company CASIC (China Aerospace Science & Industry Corporation Limited).

Related: ‘GoldenSpy’ Malware Uninstaller Delivered to Victims Following Public Exposure

Related: Attacker Installs Backdoor, Blocks Others From Exploiting Citrix ADC Vulnerability

Related: China-Linked Threat Actor Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...