Chinese bank forced western companies to install malware-laced tax software
GoldenSpy backdoor trojan found in a Chinese bank’s official tax software, which the bank has been forcing western companies to install.
A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today.
The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China.
“They informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.”
The “GoldenSpy” backdoor
Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating its customer’s network.
This backdoor,GoldenSpy and said it ran with SYSTEM-level access, allowed a remote attacker to connect to the infected system and run Windows commands, or upload and install other software.
But many types of software have remote-access features for debugging services. However, Trustwave said it also identified features that are more commonly found in malware and don’t have legitimate uses anywhere else.
GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. .
GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of executing any software on the system. This includes additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.
But despite spotting the hidden backdoor inside the Aisino Intelligent Tax Software, Trustwave wasn’t able to determine how it got there.
Trustwave said it wasn’t able to determine if the backdoor was developed by China’s government hackers, secretly added by one of the bank’s rogue employees, or created by someone at Aisino Corporation.
It was also unclear if Chinese intelligence might have forced the bank or the Aisino Corporation into adding the malware to their official software so they could spy on a foreign company, or if this was an incident where hackers were purely interested into their own financial gain.
But while some questions remain unanswered, in the meantime, Trustwave is sounding the alarm for any other company doing business in China that has installed the same software.