Malware Hidden in Chinese Tax Software
Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime
Next-Generation Technologies & Secure Development
Researchers: ‘GoldenHelper’ Backdoor Designed to Access Corporate Networks
Malware designed to provide backdoor access to corporate networks, gain administrative privileges and deliver additional payloads was hidden in tax software the Chinese government requires companies doing business in the nation to use, researchers at the security firm Trustwave report.
The backdoor, which the researchers dubbed “GoldenHelper,” was hidden in the Golden Tax Invoicing software, according to a Trustwave SpiderLabs report. The Chinese government requires all companies that are registered to conduct business in the nation – including foreign-owned firms – to use this software to pay value-added taxes.
See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response
The GoldenHelper backdoor appears to have been active between January 2018 and July 2019, according to the report. The command-and-control server associated with the malware expired in January, researchers say.
In June, Trustwave researchers published a report about a separate malware variant called GoldenSpy, which was found in Intelligent Tax software that China’s state-run banks require companies to use to help pay local taxes.
Although the GoldenHelper and GoldenSpy malware variants have their own unique features, the Trustwave researchers say they used similar delivery methods
Only two companies, Aisino Corp. and Baiwang Co., distribute the official value-added tax invoicing software in China, the researchers note. The GoldenHelper backdoor was found in the Baiwang version of the Golden Tax Invoicing software, the report notes.
“Although called ‘Baiwang Edition’, GoldenHelper was digitally signed by NouNou Technologies, a subsidiary of Aisino Corporation, the same company responsible for the Intelligent Tax software with embedded GoldenSpy malware,” according to the Trustwave report.
Trustwave analysts found that the GoldenHelper backdoor, which was deployed through the tax invoicing software, also was sometimes deployed through a stand-alone system that Chinese banks provided to companies to ensure that tax payments were made. Once the firms installed the Golden Tax Invoicing software, the malware used sophisticated techniques to hide its presence within an infected network, according to the report.
GoldenHelper had the ability to escalate system privileges without a user’s permission, create randomly generated files to create a layer of obfuscation, download an executable using fake filenames and hide downloaded files based on Domain Generation Algorithm to connect with the command-and-control server, according to the report.
In the final stage, the GoldenHelper malware downloaded a malicious payload called taxver.exe, which was designed to perform remote code execution within the infected network, the report notes.
“We have not yet been able to obtain a sample of taxver.exe, the final payload of the attack, and cannot confirm if it uses the same network infrastructure. So, the threat contained within the final payload of this attack may still be active,” according to the report.
The Companies Allegedly Involved
Although the GoldenHelper backdoor was found hidden in the Baiwang Edition of the Golden Tax Invoicing software, the Trustwave researchers note that they could not definitively link Baiwang to the malware.
The Trustwave team alleges that Aisino Corp. played a “central role” in both the GoldenHelper and GoldenSpy malware.
“The GoldenSpy report clearly shows how Aisino produced the ‘Intelligent Tax Software,’ but utilized a company called Nanjing Chenkuo Network Technology to produce the GoldenSpy malware,” the researchers note. “In the case of the Golden Tax Invoicing software (Baiwang Edition), NouNou Technology Ltd. produced both the legitimate tax software and the hidden GoldenHelper malware.”