- Joined
- May 15, 2016
- Messages
- 5,157
- Likes
- 2,576
- Points
- 1,730
The malware is spread through mandatory tax payment applications.
Cybercriminals distribute recently discovered GoldenSpy malware through infected tax-paying applications that are required to install for some companies in China. The malicious operation began in April of this year, however, Trustwave specialists discovered GoldenSpy samples dated December 2016.
One of the victims of the new malicious operation was a certain international technology company, collaborating with the governments of Australia, Great Britain and the USA. GoldenSpy entered its network after the company opened a representative office in China and, at the request of local banks, installed a tax payment application developed by the Golden Tax Department of Aisino Corporation.
Although the application worked as expected, it also installed a hidden backdoor on the system, allowing attackers to remotely execute Windows commands, as well as download and run files.
“In fact, it was a wide-open network door with privileges at the SYSTEM level, connected to a command and control server separate from the tax software software infrastructure,” he saidTrustwave Cyber Threat Detection & Response Vice President Brian Hussey
The malware was signed by Chenkuo Network Technology and works completely separately from the tax payment software, so even after the application is uninstalled, it remains on the system. The malware is installed on the attacked system two hours after installing the software for paying taxes, and in two identical versions at once in the form of permanent startup services. Persistence on the system is ensured by the exeprotector module.
“GoldenSpy works with system-level privileges, which makes it very dangerous and able to execute any code on the system, including additional malicious programs or Windows administration tools to collect data, create new user accounts, increase privileges, etc.” - say experts Trustwave.
Specialists could not determine the scale of the GoldenSpy malware campaign. It is also not established whether the theft of data was the purpose of the cyber attack and how many more companies doing business in China were victims of GoldenSpy.
__________________
Cybercriminals distribute recently discovered GoldenSpy malware through infected tax-paying applications that are required to install for some companies in China. The malicious operation began in April of this year, however, Trustwave specialists discovered GoldenSpy samples dated December 2016.
One of the victims of the new malicious operation was a certain international technology company, collaborating with the governments of Australia, Great Britain and the USA. GoldenSpy entered its network after the company opened a representative office in China and, at the request of local banks, installed a tax payment application developed by the Golden Tax Department of Aisino Corporation.
Although the application worked as expected, it also installed a hidden backdoor on the system, allowing attackers to remotely execute Windows commands, as well as download and run files.
“In fact, it was a wide-open network door with privileges at the SYSTEM level, connected to a command and control server separate from the tax software software infrastructure,” he saidTrustwave Cyber Threat Detection & Response Vice President Brian Hussey
The malware was signed by Chenkuo Network Technology and works completely separately from the tax payment software, so even after the application is uninstalled, it remains on the system. The malware is installed on the attacked system two hours after installing the software for paying taxes, and in two identical versions at once in the form of permanent startup services. Persistence on the system is ensured by the exeprotector module.
“GoldenSpy works with system-level privileges, which makes it very dangerous and able to execute any code on the system, including additional malicious programs or Windows administration tools to collect data, create new user accounts, increase privileges, etc.” - say experts Trustwave.
Specialists could not determine the scale of the GoldenSpy malware campaign. It is also not established whether the theft of data was the purpose of the cyber attack and how many more companies doing business in China were victims of GoldenSpy.
__________________