Friday, January 15, 06:57
Home security New GoldenHelper backdoor found in official Chinese software

New GoldenHelper backdoor found in official Chinese software

GoldenHelper backdoor

A new backdoor, with the name GoldenHelper backdoor, was discovered by its researchers Trustwave integrated in software Golden Tax Invoicing, part of its Golden Tax Project Chinese government. This software is used for issuing invoices and paying value added tax (VAT).

Last month, Trustwave SpiderLabs researchers found another backdoor, the GoldenSpy, hidden in the software Intelligent Tax, which the Companies they had to settle down to work with Chinese banks.

The new GoldenHelper backdoor is different from GoldenSpy, but uses a similar propagation method and is also used for acquisition access in the networks of international companies operating in China.

The GoldenHelper distribution campaign malware was active between January 2018 and July 2019. GoldenSpy's distribution campaign was launched in April 2020.

GoldenHelper backdoor

At present, there are only two official VAT invoicing software providers in China, the Aisino and Baiwang. The malicious GoldenHelper backdoor code was found in the Baiwang version of Golden Tax Invoicing Software, although Aisino is also involved.

GoldenHelper backdoor capabilities

“GoldenHelper malware uses sophisticated techniques to hide its tradition, presence and activity", Explained Trustwave.

Some of the interesting techniques used by GoldenHelper include timing, IP-based DGA (Domain Generation Algorithm), UAC bypass and the escalation of privileges etc ”.

Another feature is trying to get an executable using fake .gif, .jpg, .zip filenames.

The researchers also found that in some cases, Golden Tax software could be delivered to Companies as an autonomous system provided by bank (with the GoldenHelper backdoor built into the software).

The final payload of GoldenHelper backdoor it is one taxver.exe binary which is downloaded and executed with increased privileges (SYSTEM level) from many sites in the infected systems.

However, the researchers could not find a sample of this payload to analyze its behavior.

While campaign GoldenHelper is no longer active, the threat posed by this final payload remains.

How is Aisino related?

Trustwave found many links between GoldenSpy and GoldenHelper during the analysis of the two campaigns and found that Aisino Corporation played a central role.

The most important relationships between the two campaigns are:

  • A subsidiary of Aisino creates software related to Golden Tax.
  • The software uses specialized infrastructure and components (installer, uninstaller, update and main tax software). The components are installed and uninstalled upon request and approval of the user.
  •  Hidden malware is installed in parallel with legitimate software.
  • Hidden malware uses a separate command and control infrastructure from that used by legitimate software.
  • Hidden malware has the ability to remotely download and execute code with increased privileges.
  • Hidden malware uses techniques to hide its action.

The diagram below reveals the partnerships behind the two malware campaigns. The green boxes indicate the legal use of the software, the orange boxes the Aisino Corporation and its subsidiaries, the red boxes the backdoor network infrastructure and the blue boxes the background of the Chinese Golden Tax Project.

GoldenHelper backdoor

More details can be found at Trustwave report on GoldenHelper malware.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!



Why do scientists say AI hyperintelligence cannot be controlled?

AI artificial intelligence, which has come to overturn the data of humanity, has been the subject of debate for many decades. Now,...

iPhone vs Android: Which is best for you?

The battle between iPhone and Android will last forever. IOS (iPhone OS) and Android are the two ...

Owner of bitcoin exchange service arrested for money laundering

The owner of a Bulgarian bitcoin exchange service was sentenced to prison in the United States, for his involvement in fraud and providing ...

How to boot shortcuts from an Apple Watch Face

IPhone shortcuts help you automate tasks, no matter how simple or complex. But did you know that you can ...

The "New Pokémon Snap" is coming to the Nintendo Switch on April 30

Pokémon photographers better prepare, as "New Pokémon Snap" comes to the Nintendo Switch on April 30th. The release date ...

In 2020 the average price of a new car reached 33.000 euros

Among all that happened in 2020, car buyers and the car industry set another new record which we would not say ...

Qualcomm acquires NUVIA, faster processors are coming!

Qualcomm announced the acquisition of startup NUVIA. The deal is valued at $ 1,4 billion, Qualcomm said. The acquisition could ...

Telegram: 25 million new users in three days

Following the announcement of WhatsApp that it will share user data with Facebook, the encrypted Telegram messaging application saw an explosive ...

A huge flash scans the solar system after a powerful explosion!

The source of a huge flash that penetrated our solar system has been identified by scientists. The discovery of the flash will ...

The scientists analyzed the DNA of the anthropolytics

According to a new study published today in Nature, scientists have finally managed to analyze the DNA of antaroli - creatures ...