fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

The Golden Tax Department And The Emergence Of GoldenSpy Malware

The Golden Tax Department And The Emergence Of GoldenSpy Malware

Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that a Chinese bank requires corporations to install to conduct business operations in China.

In April of 2020,  the Trustwave SpiderLabs Threat Fusion Team engaged a customer to conduct a Proactive Threat Hunt.  The company is a global technology vendor with significant government business in the US, Australia, UK, and recently opened offices in China.  Our threat hunt produced several key findings important to the long-term security of their network, however, one key finding stood out as potentially impacting countless other businesses who currently operate in China. A full analysis of our findings is available for download in this report.

Investigation Details

We identified an executable file displaying highly unusual behavior and sending system information to a suspicious Chinese domain. Discussions with our client revealed that this was part of their bank’s required tax software.  They informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.

As we continued our investigation into the tax software, we found that it worked as advertised, but it also installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary (to include ransomware, trojans, or other malware).  Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure.  Based on this, and several other factors (described below) we determined this file to have sufficient characteristics to be malware. We’ve since fully reverse-engineered the files and named the family GoldenSpy.

GoldenSpy was digitally signed by a company called Chenkuo Network Technology and the signature used identical text for both the product and description fields; 认证软件版本升级服务 – which translates to “certified software version upgrade service”.  This name may sound like legitimate software,  however, in this situation the tax software already has its own updater service that functions well, and in a way completely unrelated to GoldenSpy.

There were several other unusual aspects of this file, to include:

  • GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart.  Furthermore, it utilizes an exeprotector module that monitors for the deletion of either iteration of itself.  If deleted, it will download and execute a new version.  Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system.
  • The Intelligent Tax software’s uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software is fully removed.
  • GoldenSpy is not downloaded and installed until a full two hours after the tax software installation process is completed. When it finally downloads and installs, it does so silently, with no notification on the system. This long delay is highly unusual and a method to hide from the victim’s notice.
  • GoldenSpy does not contact the tax software’s network infrastructure (i-xinnuo[.]com), rather it reaches out to ningzhidata[.]com, a domain known to host other variations of GoldenSpy malware. After the first three attempts to contact its command and control server, it randomizes beacon times.  This is a known method to avoid network security technologies designed to identify beaconing malware.
  • GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of executing any software on the system. This includes additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.

These factors have led us to the conclusion that GoldenSpy is a well-hidden and powerful backdoor that surrenders full remote command and control of the victim system to an unknown adversary.

The diagram below shows the network communication patterns of GoldenSpy installation via Intelligent Tax software.

Svmdiagram

The scope of this campaign is not currently known.  For our client, GoldenSpy was secretly embedded within the Aisino Intelligent tax software, but we cannot determine if this was targeted because of their access to vital data, or if this campaign impacts every company doing business in China.  We have identified similar activity at a global financial institution, but do not yet have further telemetry into this campaign.

Also read: How to Register Data Protection Officer (DPO) in ACRA Bizfile+

The current GoldenSpy campaign began in April of 2020, however, our cyber threat intel analysts have discovered variations of GoldenSpy that date back to December of 2016.  It is of interest that Chenkuo Technology’s website announced a partnership with Aisino in October of 2016, two months prior to the original emergence of the GoldenSpy malware family.  Their partnership is for “big data cooperation”.  GoldenSpy certainly could enable big data access and collection.  Trustwave SpiderLabs has no current knowledge if GoldenSpy was active in the wild since 2016, our first identification of usage was April 2020. To be clear, we do not yet know the scope, purpose, or actors behind the threat. We do not know whether Chenkuo Technology or Aisino are active and/or willing participants or the extent of their involvement other than what is presented in the report. 

Partnership

Recommendations

We believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment, and remediation countermeasures, as outlined in our technical report (download link below).

Trustwave SpiderLabs is still actively investigating and seeking out more telemetry on the GoldenSpy campaign.  If you have any information about this activity or feel you may have been victimized by this attack, please reach out to the Trustwave SpiderLabs Threat Fusion Team at [email protected] 

We are available for advice, information exchange, or to engage threat hunting / forensic investigation services.

Aisino Corporation and Nanjing Chenkuo Network Technology were contacted and briefed on these findings, as part of Trustwave’s documented vulnerability disclosure process. At time of publication of this report, neither have responded.

Brian Hussey is Vice President of Cyber Threat Detection & Response at Trustwave.  He leads the SpiderLabs Threat Fusion and the Global Threat Operations Teams.  Trustwave’s Managed Detection & Response (MDR), Managed Detection (MD), Threat Hunting, Intel, and Investigation services fall under his purview.

Also read: Cost of GDPR Compliance for Singapore Companies

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us