Chinese developers secretly released uninstaller for GoldenSpy backdoor
Recently, we talked about how Trustwave specialists found that an unnamed Chinese bank forced Western companies to install official tax software containing a backdoor. Now it became known that Chinese developers secretly released an uninstaller for the backdoor, which was called GoldenSpy.The suspicious program is called Intelligent Tax, and it was developed by Aisino Corporation specifically for paying local taxes.
“GoldenSpy has SYSTEM level permissions, which allows remote attackers to connect to the company’s infected system, execute arbitrary commands, download and install other software”, — said Trustwave researchers.
Malware existed since 2016 and currently it is unclear how many organizations it could compromise.
Interestingly, Trustwave analysts were not able to understand how the backdoor got into the product of Aisino Corporation. Expert theories said that a backdoor could have been created by China’s “governmental” hackers; secretly added to the program by a dishonest bank employee; or developed by one of the engineers at Aisino Corporation.
Only three days after the publication of the Trustwave report, company analysts found that now Aisino Corporat secretly places the AWX.exe file on all infected systems. As it turned out, this file was created specifically to remove the GoldenSpy backdoor and all traces of compromise, including registry entries, files and malware folders.
After completing the “cleaning”, the uninstaller removes itself from the system.
At the same time, the backdoor quietly removed through the Windows command line interface without any permissions or notifications. The uninstaller itself is obfuscated and clearly seeks to avoid detection, like the original backdoor. Moreover, it removes GoldenSpy with strict following of the removal instructions, which Trustwave experts included in their report.
“During our test, the GoldenSpy uninstaller was automatically downloaded and executed, and effectively eliminated the direct GoldenSpy threat. However, since the deployment of this uninstaller is carried out directly from the supposedly legitimate tax software, Intelligent Tax users should be concerned about what else can be downloaded and performed in a similar way,” — say Trustwave experts.
Researchers write that, despite the unexpected removal of a backdoor, it should still be regarded as a threat, and everyone who works with Intelligent Tax needs to check their systems for compromise.
Recall that according to media reports, on tourists’ smartphones was installed spyware on the Chinese border.