Trustwave specialists found that an unnamed Chinese bank forced at least two western companies to…
“GoldenSpy has SYSTEM level permissions, which allows remote attackers to connect to the company’s infected system, execute arbitrary commands, download and install other software”, — said Trustwave researchers.
Malware existed since 2016 and currently it is unclear how many organizations it could compromise.
Interestingly, Trustwave analysts were not able to understand how the backdoor got into the product of Aisino Corporation. Expert theories said that a backdoor could have been created by China’s “governmental” hackers; secretly added to the program by a dishonest bank employee; or developed by one of the engineers at Aisino Corporation.
Only three days after the publication of the Trustwave report, company analysts found that now Aisino Corporat secretly places the AWX.exe file on all infected systems. As it turned out, this file was created specifically to remove the GoldenSpy backdoor and all traces of compromise, including registry entries, files and malware folders.
After completing the “cleaning”, the uninstaller removes itself from the system.
At the same time, the backdoor quietly removed through the Windows command line interface without any permissions or notifications. The uninstaller itself is obfuscated and clearly seeks to avoid detection, like the original backdoor. Moreover, it removes GoldenSpy with strict following of the removal instructions, which Trustwave experts included in their report.
“During our test, the GoldenSpy uninstaller was automatically downloaded and executed, and effectively eliminated the direct GoldenSpy threat. However, since the deployment of this uninstaller is carried out directly from the supposedly legitimate tax software, Intelligent Tax users should be concerned about what else can be downloaded and performed in a similar way,” — say Trustwave experts.
Researchers write that, despite the unexpected removal of a backdoor, it should still be regarded as a threat, and everyone who works with Intelligent Tax needs to check their systems for compromise.
Recall that according to media reports, on tourists’ smartphones was installed spyware on the Chinese border.
Fyallusad.top is a domain that tries to force you into clik to its browser notifications…
News-xxataxe.cc is a site that tries to trick you into subscribing to its browser notifications…
News-bgejaka.info is a site that tries to force you into clik to its browser notifications…
Incoblaf.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-bfezuri.xyz is a site that tries to force you into subscribing to its browser notifications…
News-bfofefu.live is a domain that tries to trick you into subscribing to its browser notifications…