A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today.
The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China.
"Discussions with our client revealed that [the malware] was part of their bank's required tax software," Trustwave said today.
"They informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes."
The "GoldenSpy" backdoor
Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating its customer's network.
In a report published today, Trustwave said it analyzed the bank's tax software. Turstwave said the software worked as advertised, allowing its customer to pay local taxes, but that it also installed a hidden backdoor.
The security firm says this backdoor, which Trustwave codenamed GoldenSpy and said it ran with SYSTEM-level access, allowed a remote attacker to connect to the infected system and run Windows commands, or upload and install other software.
But many types of software have remote-access features for debugging services. However, Trustwave said it also identified features that are more commonly found in malware and don't have legitimate uses anywhere else. For example:
- GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. Furthermore, it utilizes an exeprotector module that monitors for the deletion of either iteration of itself. If deleted, it will download and execute a new version. Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system.
- The Intelligent Tax software's uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software is fully removed.
- GoldenSpy is not downloaded and installed until a full two hours after the tax software installation process is completed. When it finally downloads and installs, it does so silently, with no notification on the system. This long delay is highly unusual and a method to hide from the victim's notice.
- GoldenSpy does not contact the tax software's network infrastructure (i-xinnuo[.]com), rather it reaches out to ningzhidata[.]com, a domain known to host other variations of GoldenSpy malware. After the first three attempts to contact its command and control server, it randomizes beacon times. This is a known method to avoid network security technologies designed to identify beaconing malware.
- GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of executing any software on the system. This includes additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.
State hackers or malicious insider?
But despite spotting the hidden backdoor inside the Aisino Intelligent Tax Software, Trustwave wasn't able to determine how it got there.
Trustwave said it wasn't able to determine if the backdoor was developed by China's government hackers, secretly added by one of the bank's rogue employees, or created by someone at Aisino Corporation.
It was also unclear if Chinese intelligence might have forced the bank or the Aisino Corporation into adding the malware to their official software so they could spy on a foreign company, or if this was an incident where hackers were purely interested into their own financial gain.
But while some questions remain unanswered, in the meantime, Trustwave is sounding the alarm for any other company doing business in China that has installed the same software.
"We believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment, and remediation countermeasures, as outlined in our technical report," Trustwave said.
Trustwave didn't name the bank. ZDNet has sent the Aisino Corporation a request for comment about Trustwave's findings and we'll update if the software vendor decides to reply.