Saturday, October 24, 05:17
Home security New GoldenHelper backdoor found in official Chinese software

New GoldenHelper backdoor found in official Chinese software

GoldenHelper backdoor

A new backdoor, with the name GoldenHelper backdoor, was discovered by its researchers Trustwave integrated in software Golden Tax Invoicing, part of its Golden Tax Project Chinese government. This software is used for issuing invoices and paying value added tax (VAT).

Last month, Trustwave SpiderLabs researchers found another backdoor, the GoldenSpy, hidden in the software Intelligent Tax, which the Companies they had to settle down to work with Chinese banks.

The new GoldenHelper backdoor is different from GoldenSpy, but uses a similar propagation method and is also used for acquisition access in the networks of international companies operating in China.

The GoldenHelper distribution campaign malware was active between January 2018 and July 2019. GoldenSpy's distribution campaign was launched in April 2020.

GoldenHelper backdoor

At present, there are only two official VAT invoicing software providers in China, the Aisino and Baiwang. The malicious GoldenHelper backdoor code was found in the Baiwang version of Golden Tax Invoicing Software, although Aisino is also involved.

GoldenHelper backdoor capabilities

“GoldenHelper malware uses sophisticated techniques to hide its tradition, presence and activity", Explained Trustwave.

Some of the interesting techniques used by GoldenHelper include timing, IP-based DGA (Domain Generation Algorithm), UAC bypass and the escalation of privileges etc ”.

Another feature is trying to get an executable using fake .gif, .jpg, .zip filenames.

The researchers also found that in some cases, Golden Tax software could be delivered to Companies as an autonomous system provided by bank (with the GoldenHelper backdoor built into the software).

The final payload of GoldenHelper backdoor it is one taxver.exe binary which is downloaded and executed with increased privileges (SYSTEM level) from many sites in the infected systems.

However, the researchers could not find a sample of this payload to analyze its behavior.

While campaign GoldenHelper is no longer active, the threat posed by this final payload remains.

How is Aisino related?

Trustwave found many links between GoldenSpy and GoldenHelper during the analysis of the two campaigns and found that Aisino Corporation played a central role.

The most important relationships between the two campaigns are:

  • A subsidiary of Aisino creates software related to Golden Tax.
  • The software uses specialized infrastructure and components (installer, uninstaller, update and main tax software). The components are installed and uninstalled upon request and approval of the user.
  • Hidden malware is installed in parallel with legitimate software.
  • Hidden malware uses a separate command and control infrastructure from that used by legitimate software.
  • Hidden malware has the ability to remotely download and execute code with increased privileges.
  • Hidden malware uses techniques to hide its action.

The diagram below reveals the partnerships behind the two malware campaigns. The green boxes indicate the legal use of the software, the orange boxes the Aisino Corporation and its subsidiaries, the red boxes the backdoor network infrastructure and the blue boxes the background of the Chinese Golden Tax Project.

GoldenHelper backdoor

More details can be found at Trustwave report on GoldenHelper malware.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


How to use Portrait Light on a Pixel phone

Lighting is undoubtedly the most important component for taking a good photo. If you have a Pixel phone, you can fix ...

DFAT: We apologize for the inconvenience to Australians

The contact details of at least 15 Australian citizens were included in the "Cc" field of an email. The Australian Minister of Foreign Affairs and Trade (DFAT), Marise ...

How to share your Apple Watch Face with others

One of the best things about owning an Apple Watch is the ability to customize your watch face in different colors ...

New York: Chenango County was attacked by ransomware

Chenango County officials had to find other solutions as none of its computers could be accessed ...

Watch the first videos of using Tesla's Full Self-Driving Beta

We see for the first time what it is and what the Full Self-Driving Beta software update of Tesla does, as some users who ...

The pharmaceutical company Shionogi & Co fell victim to data breach

The pharmaceutical company Shionogi & Co. based in Japan, announced on Thursday that its subsidiary in Taiwan, was hit by an online ...

A student goes to his closed school for WiFi because he does not have internet at home

A 9-year-old student who attends an elementary school in Roswell, New Mexico, goes to his closed elementary school to ...

Technology conferences / events 2021: When will they take place, where and in what form?

In recent months, our lives have changed a lot due to the coronavirus pandemic. Globally, thousands of cases are reported every day. A...

EU: Sanctions on Russian officers for hacking the German Parliament in 2015

The EU Council announced yesterday that sanctions were imposed on officers of the Russian military intelligence service belonging to the 85th main center ...

The biggest data breaches ever committed in the US

The COVID-19 pandemic has greatly changed the daily lives of people worldwide. But as more and more employees work from ...