Chinese developers secretly released uninstaller for GoldenSpy backdoor

Recently, we talked about how Trustwave specialists found that an unnamed Chinese bank forced Western companies to install official tax software containing a backdoor. Now it became known that Chinese developers secretly released an uninstaller for the backdoor, which was called GoldenSpy.

The suspicious program is called Intelligent Tax, and it was developed by Aisino Corporation specifically for paying local taxes.

“GoldenSpy has SYSTEM level permissions, which allows remote attackers to connect to the company’s infected system, execute arbitrary commands, download and install other software”, — said Trustwave researchers.

Malware existed since 2016 and currently it is unclear how many organizations it could compromise.

Interestingly, Trustwave analysts were not able to understand how the backdoor got into the product of Aisino Corporation. Expert theories said that a backdoor could have been created by China’s “governmental” hackers; secretly added to the program by a dishonest bank employee; or developed by one of the engineers at Aisino Corporation.

Only three days after the publication of the Trustwave report, company analysts found that now Aisino Corporat secretly places the AWX.exe file on all infected systems. As it turned out, this file was created specifically to remove the GoldenSpy backdoor and all traces of compromise, including registry entries, files and malware folders.

After completing the “cleaning”, the uninstaller removes itself from the system.

At the same time, the backdoor quietly removed through the Windows command line interface without any permissions or notifications. The uninstaller itself is obfuscated and clearly seeks to avoid detection, like the original backdoor. Moreover, it removes GoldenSpy with strict following of the removal instructions, which Trustwave experts included in their report.

“During our test, the GoldenSpy uninstaller was automatically downloaded and executed, and effectively eliminated the direct GoldenSpy threat. However, since the deployment of this uninstaller is carried out directly from the supposedly legitimate tax software, Intelligent Tax users should be concerned about what else can be downloaded and performed in a similar way,” — say Trustwave experts.

Researchers write that, despite the unexpected removal of a backdoor, it should still be regarded as a threat, and everyone who works with Intelligent Tax needs to check their systems for compromise.

Recall that according to media reports, on tourists’ smartphones was installed spyware on the Chinese border.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Microsoft patched 0-day vulnerabilities

Microsoft patched two 0-day vulnerabilities that were under attacks

August Patch Tuesday includes fixes for 120 Microsoft products, from the Edge browser to Windows, …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.