Chinese bank forced western companies to install tax software with backdoor

Trustwave specialists found that an unnamed Chinese bank forced at least two western companies to install official tax software containing the GoldenSpy backdoor. The names of the affected companies were not disclosed, but it is known that they were a financial institution and a software provider that recently opened offices in China.

It all started when one of the clients turned to Trustwave for help, explaining that the Chinese bank demanded from the company to install Intelligent Tax software, developed by Aisino Corporation specifically for paying local taxes.

Recall that according to media reports, on the Chinese border in tourists’ smartphones was installed spyware.

Trustwave experts found a backdoor in the tax program, paying attention to suspicious network requests coming from the client’s network. After analyzing the tax software of a Chinese bank, the researchers conclude that the program works as it should and really allows paying local taxes, but at the same time, in it is installed a GoldenSpy hidden backdoor in the client’s system.

“GoldenSpy has SYSTEM privileges, which allows remote attackers to connect to an infected system, execute commands, download and install other software”, – told Trustwave experts.

Many programs have remote access features that are commonly used for debugging, but Trustwave experts explain that this is not the case. Experts write that they revealed functionality that is usually used exclusively by malware, but is not found in legitimate programs. So, GoldenSpy has the following features:

  • The backdoor writes two identical copies of itself to autorun. If one of the copies stops working, the program immediately restores it. In addition, the malware uses the exeprotector module, which tracks the removal of any of these “clones”. In case of deletion, program downloads and executes a new copy of the malware. This three-layer protection makes it very difficult to delete a file from an infected system.
  • Uninstalling Intelligent Tax does not remove GoldenSpy from the system, which continues to function as a hidden backdoor.
  • GoldenSpy is not downloaded or installed within two hours after the installation of tax software is complete. When the backdoor installation finally happens, everything is done quietly, without any notifications.
  • GoldenSpy does not contact the tax software infrastructure (i-xinnuo[.]com), but refers to the domain ningzhidata[.]com, which was previously used to host other versions of the GoldenSpy malware.
  • After the first three attempts to establish a connection with the management server, the malware will randomize the time of the next attempt to “get in touch”. This is a well-known way to avoid the attention of defense mechanisms.

Trustwave analysts have not been able to understand how the backdoor got into the product of Aisino Corporation. Theories of experts say that a backdoor could be created by “government” hackers in China; secretly added to the program by a dishonest bank employee; or created by one of the engineers at Aisino Corporation.

“That is, it is not yet clear whether the Chinese intelligence services could force the bank or Aisino Corporation to add malware to the official tax software (to spy on foreign companies), or whether it was an accident, and this is the work of ordinary hackers that pursue financial gain”, — say Trustwave researchers.

Researchers are currently urging all Western companies operating in China to deal with Intelligent Tax to view this incident as a potential threat, urgently check their systems for compromise and take the necessary measures.

By the way, we recently reported that Information security experts suspect Chinese company Xiaomi of spying on users.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Web skimmers hide in metadata

Hackers hide web skimmers in image metadata

Malwarebytes experts discovered that MageCart hackers use a kind of steganography and hide web skimmers …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.