Three weeks ago, security researchers revealed a nasty piece of malware contained in tax software that the Chinese government requires companies to install. Now there is evidence that the high-spy campaign was preceded by a different piece of malware that used equally sophisticated methods to infect taxpayers in China.
GoldenHelper, according to researchers from the security company Trustwave called the malware, hidden in the Golden Tax Invoicing software, which all registered companies in China are authorized to use to pay added taxes amount. The malware is able to bypass User Account Control, a Windows mechanism that requires users to give their consent before software can install programs or make other system changes. Once that’s done, GoldenSpy can install modules with System-level privileges. Trustwave published its findings on Tuesday Here.
GoldenHelper uses other tricks to hide its malicious behavior and avoid detection from limited security programs and software. Tricks include:
- Randomly generated file names
- Randomly generated “created” and “last written” timestamps
- Try downloading executable files using fake file names with extensions like .gif, .jpg, and .zip
- Hard-coded intelligence that uses location data to control download locations, downloaded content, and where the content is placed
- Using an IP domain-based algorithm to change proxy server locations on the fly
In some cases, banks deploy the Golden Tax software as stand-alone systems. Trustwave says it discovered reports from several people who said they received computers running Windows 7 Home Edition that had ransomware—and the hidden GoldenHelper—preinstalled.
The discovery comes three weeks after Trustwave revealed GoldenSpy, a piece of advanced spyware industry researchers found on the network of a multinational technology company that recently opened offices in China. . Like GoldenHelper, GoldenSpy uses the same installation method as the Golden Spyware.
Trustwave said GoldenSpy was active from April to last month, when the campaign was suddenly shut down following a security firm report. GoldenHelper was active from January 2018 until July 2019, a finding that shows that tax software has been protected from malware for longer than previously known. GoldenHelper is a digital token using a Windows trust certificate issued to NouNou Technologies, a subsidiary of Aisino Corporation, the same company responsible for tax software with embedded GoldenSpy malware.
GoldenHelper hidden tax software is produced by a well-known company Baiwang. Baiwang and Aisino are the only two official providers of payment systems. The new discovery shows that GoldenSpy is not a one-off campaign, but rather one that uses at least one other piece of malware over a longer period of time than previously known.
It is not clear why GoldenHelper was closed unexpectedly. One charge is that its operators abandoned the project after attendance rates jumped, from about three in January 2019 to about 29 in March. Below is a timeline that tracks malware history:
Trustwave
Unlike the investigation into GoldenSpy, Trustwave researchers have not found samples of the payload installed by GoldenHelper. The file name is taxver.exe. Trustwave asks that anyone who can provide an example reach investigators at goldenspy@trustwave.com.