Experts found five uninstallers for the Chinese GoldenSpy backdoor

Trustwave analysts discovered the GoldenSpy backdoor in June 2020. Then it turned out that an unnamed Chinese bank was forcing Western companies to install official tax software containing a backdoor. It was reported that researchers have found five uninstallers for the Chinese GoldenSpy backdoor.

“GoldenSpy has SYSTEM-level privileges, which allows remote attackers to connect to an infected company system, execute arbitrary commands, and download and install other software. The malware exists since 2016 its predecessor was the GoldenHelper malware, and it is unclear how many organizations could have compromised these two threats”, – say Trustwave analysts.

Shortly after the publication of the original Trustwave report, company analysts noticed that Aisino Corporation’s product was sneaking an AWX.exe file on all infected systems. As it turned out, this file was created specifically to remove the GoldenSpy backdoor and all traces of compromise, including registry entries, files and malware folders. After completing the “cleaning”, the uninstaller removes itself from the system.

Now, about a month and a half after this discovery, Trustwave experts report that to date, have been found five different uninstallers for GoldenSpy (in total, 24 different files), some of which were uploaded to public repositories.

All variants of uninstallers demonstrate the same behavior, although some of them are executed in different ways and apply different obfuscation.

Overall, the study of uninstallers showed that starting from the third version, all samples passed a unique ID to the ningzhidata[.]Com domain, which allowed operators to track code activity.

“The investigation also revealed that the uninstallers are using the IP address 39.98.110[.]234 to transmit ‘signals’, and the researchers associate this address with Ningbo Digital Technology, which allegedly offers technical support services to other companies and technology service providers.” – report in Trustwave.

In fact, experts are confident that this company is involved in the development of the backdoor (or, at least, in development of uninstaller for it).

On the Ningbo Digital Technology website, the researchers found two files: a GoldenSpy dropper (named iclient) and an uninstaller for GoldenSpy (named QdfTools). Ningbo Digital Technology offers the uninstaller as a useful tool for corporate environments.