Friday, August 14, 23:01
Home security New GoldenHelper backdoor found in official Chinese software

New GoldenHelper backdoor found in official Chinese software

GoldenHelper backdoor

A new backdoor, with the name GoldenHelper backdoor, was discovered by its researchers Trustwave integrated in software Golden Tax Invoicing, part of its Golden Tax Project Chinese government. This software is used for issuing invoices and paying value added tax (VAT).

Last month, Trustwave SpiderLabs researchers found another backdoor, the GoldenSpy, hidden in the software Intelligent Tax, which the Companies they had to settle down to work with Chinese banks.

The new GoldenHelper backdoor is different from GoldenSpy, but uses a similar propagation method and is also used for acquisition access in the networks of international companies operating in China.

The GoldenHelper distribution campaign malware was active between January 2018 and July 2019. GoldenSpy's distribution campaign was launched in April 2020.

GoldenHelper backdoor

At present, there are only two official VAT invoicing software providers in China, the Aisino and Baiwang. The malicious GoldenHelper backdoor code was found in the Baiwang version of Golden Tax Invoicing Software, although Aisino is also involved.

GoldenHelper backdoor capabilities

“GoldenHelper malware uses sophisticated techniques to hide its tradition, presence and activity", Explained Trustwave.

Some of the interesting techniques used by GoldenHelper include timing, IP-based DGA (Domain Generation Algorithm), UAC bypass and the escalation of privileges etc ”.

Another feature is trying to get an executable using fake .gif, .jpg, .zip filenames.

The researchers also found that in some cases, Golden Tax software could be delivered to Companies as an autonomous system provided by bank (with the GoldenHelper backdoor built into the software).

The final payload of GoldenHelper backdoor it is one taxver.exe binary which is downloaded and executed with increased privileges (SYSTEM level) from many sites in the infected systems.

However, the researchers could not find a sample of this payload to analyze its behavior.

While campaign GoldenHelper is no longer active, the threat posed by this final payload remains.

How is Aisino related?

Trustwave found many links between GoldenSpy and GoldenHelper during the analysis of the two campaigns and found that Aisino Corporation played a central role.

The most important relationships between the two campaigns are:

  • A subsidiary of Aisino creates software related to Golden Tax.
  • The software uses specialized infrastructure and components (installer, uninstaller, update and main tax software). The components are installed and uninstalled upon request and approval of the user.
  • Hidden malware is installed in parallel with legitimate software.
  • Hidden malware uses a separate command and control infrastructure from that used by legitimate software.
  • Hidden malware has the ability to remotely download and execute code with increased privileges.
  • Hidden malware uses techniques to hide its action.

The diagram below reveals the partnerships behind the two malware campaigns. The green boxes indicate the legal use of the software, the orange boxes the Aisino Corporation and its subsidiaries, the red boxes the backdoor network infrastructure and the blue boxes the background of the Chinese Golden Tax Project.

GoldenHelper backdoor

More details can be found at Trustwave report on GoldenHelper malware.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


Relax with these short horror and sci-fi movies!

Do you dream of other planets, other realities or other schedules? If you wish you could travel somewhere else you should see these little ...

6 ways your location can be traced through your iPhone!

Your iPhone can be configured to show your location in real time to anyone. Also indicates your location ...

How to delete your Spotify account?

Have you decided to stop using Spotify and want to close your account permanently? See how ...

Holidays, baths, public WiFi: Guess which one not to choose?

Holidays, baths, public WiFi: Guess which one not to choose? August is here and most are getting ready for their summer vacation ....

Cyber ​​Security Career: Why Choose It Now?

With unemployment being at very high levels due to the coronavirus and with companies trying to restructure companies ...

Get MIUI 12 "Focus Mode" on any Xiaomi device

Focus Mode is one of the best features of MIUI 12. This feature was first introduced in MIUI 11, but there are ...

The 20 best gaming consoles of all time

On the threshold of the new generation of consoles, such as the PlayStation 5 and the Xbox Series X, these are the most important and ...

Smart locks: Every home needs to have one!

Home security is a complex issue, but anything is safer than hiding a spare key in a very ...

LinkedIn: How do you record and display the pronunciation of your name?

Having a last name that almost no one pronounces correctly can sometimes be annoying. Thus, LinkedIn attempts ...

Cyber ​​attacks: 5 steps to deal with security incidents

Every organization is prone to cyber attacks and, when it happens, there is a small line between rescuing your network security and ...