A new backdoor, with the name GoldenHelper backdoor, was discovered by its researchers Trustwave integrated in software Golden Tax Invoicing, part of its Golden Tax Project Chinese government. This software is used for issuing invoices and paying value added tax (VAT).
Last month, Trustwave SpiderLabs researchers found another backdoor, the GoldenSpy, hidden in the software Intelligent Tax, which the Companies they had to settle down to work with Chinese banks.
The GoldenHelper distribution campaign malware was active between January 2018 and July 2019. GoldenSpy's distribution campaign was launched in April 2020.
At present, there are only two official VAT invoicing software providers in China, the Aisino and Baiwang. The malicious GoldenHelper backdoor code was found in the Baiwang version of Golden Tax Invoicing Software, although Aisino is also involved.
GoldenHelper backdoor capabilities
“GoldenHelper malware uses sophisticated techniques to hide its tradition, presence and activity", Explained Trustwave.
Some of the interesting techniques used by GoldenHelper include timing, IP-based DGA (Domain Generation Algorithm), UAC bypass and the escalation of privileges etc ”.
Another feature is trying to get an executable using fake .gif, .jpg, .zip filenames.
The final payload of GoldenHelper backdoor it is one taxver.exe binary which is downloaded and executed with increased privileges (SYSTEM level) from many sites in the infected systems.
However, the researchers could not find a sample of this payload to analyze its behavior.
While campaign GoldenHelper is no longer active, the threat posed by this final payload remains.
How is Aisino related?
Trustwave found many links between GoldenSpy and GoldenHelper during the analysis of the two campaigns and found that Aisino Corporation played a central role.
The most important relationships between the two campaigns are:
- A subsidiary of Aisino creates software related to Golden Tax.
- The software uses specialized infrastructure and components (installer, uninstaller, update and main tax software). The components are installed and uninstalled upon request and approval of the user.
- Hidden malware is installed in parallel with legitimate software.
- Hidden malware uses a separate command and control infrastructure from that used by legitimate software.
- Hidden malware has the ability to remotely download and execute code with increased privileges.
- Hidden malware uses techniques to hide its action.
The diagram below reveals the partnerships behind the two malware campaigns. The green boxes indicate the legal use of the software, the orange boxes the Aisino Corporation and its subsidiaries, the red boxes the backdoor network infrastructure and the blue boxes the background of the Chinese Golden Tax Project.
More details can be found at Trustwave report on GoldenHelper malware.