Trustwave’s security researchers have discovered another malware family delivered through tax software that Chinese banks require companies doing business in the country to use.
The discovery comes only weeks after the security firm published information on GoldenSpy, a backdoor delivered via the Intelligent Tax application produced by the Golden Tax Department of Aisino Corporation. Within days after the initial report was published, an uninstaller was pushed to compromised machines, to completely remove GoldenSpy.
Dubbed GoldenHelper, the newly identified piece of malware is delivered through the Golden Tax Invoicing Software (Baiwang Edition), which Chinese banks require their clients to install in order to pay taxes.
The Golden Tax software, which is linked to Aisino, can install without user consent, can escalate privileges to SYSTEM, and can download and install payloads on the system. Trustwave discovered that the program is sometimes deployed as a “stand-alone system provided by the bank,” and that in some cases organizations were provided with a Windows 7 system with the Golden Tax software on it.
GoldenHelper uses the SKPC.DLL to interact with Golden Tax, the WMISSSRV.DLL to escalate privileges, and a .DAT file with a random name to fetch and run arbitrary code with SYSTEM privileges. The malware’s main goal is to download and run taxver.exe, but Trustwave was not able to find a sample of the payload yet (although the malware might continue to be active on compromised systems).
While they could not confirm that taxver.exe is indeed malicious, the security researchers point out that legitimate software doesn’t bypass Windows protections to escalate privileges, doesn’t randomize its location or hide its name, doesn’t attempt to override DNS records, and doesn’t lack version negotiation protocols either.
The GoldenHelper campaign likely ran between 2018 and mid-2019, but appears to be defunct at the moment. Detection rates of samples used in the campaign increased by mid-2019, likely forcing operators to close shop, and the command and control (C&C) domains used by the dropper expired in early 2020.
Thus, Trustwave believes that GoldenHelper was likely the predecessor of GoldenSpy, although it is a different piece of malware. The latter appears to have started operation in April 2020, and to have shut down in late June, following public exposure.
“The GoldenHelper deployment mechanism may no longer be active, but we cannot say if the overall threat presented by taxver.exe is still operational, or not. The GoldenHelper campaign was directly followed by GoldenSpy, and […] we have no doubt that this threat will continue to evolve to a new methodology targeting businesses with operations in China,” Trustwave notes.
GoldenHelper and the tax software that drops it were produced by NouNou Technology, a subsidiary of Aisino, both owned by state company CASIC (China Aerospace Science & Industry Corporation Limited).