The saying goes, “Once is chance, twice is a coincidence, and three times is a pattern.” But do we really need three times when the repetition is so clearly similar? Researchers at Trustwave have found spyware within the Golden Tax Invoicing system provided by Baiwang and have named the spyware Golden Helper. A Golden Tax Invoicing system is required to log invoices and expenses for accurate centralized Value Added Tax reporting. Baiwang is joined by Aisin as the only two providers of the Golden Tax Invoicing system. The Aisino version was found last month to have the Golden Spy which had several similar infection avenues but different capabilities.
The Golden Spy malware had several obfuscation and detection avoidance capabilities:
• a two hour delay in malware installation,
• two auto-start services for self-monitoring and restarting,
• persistence beyond the tax software itself,
• communication with domains that were not tax related, and
• running with system level privileges for remote code execution.
A malware uninstaller was pushed in an update by Aisino by the time Golden Helper became public. Golden Helper, is planted in the Baiwang edition of the Golden Tax Invoicing system. The malware, itself, is curiously signed by an Aisino subsidiary, NouNou Technology. Golden Helper takes extensive efforts to stay hidden. It obfuscates the files produced with randomly generated filenames and obfuscates metadata by randomly generating “creation” and “last write” timestamps. It masks executable payload as .gif, .jpg, and .zip files while in transit and uses the Victim’s IP to algorithmically randomize download locations and communicate those locations to command and control servers. It has no need for User permission to install and escalate to SYSTEM level privilege and can perform remote code execution as well. Golden Tax software may also be delivered to companies pre-installed in computers provided by their bank. This makes sense to offer up a tool to make business easier so that the customer doesn’t have to go through the trouble of installing the software. But unfortunately, it also comes bundled with Golden Helper. Trustwave researchers are still looking for samples of the final payload installed by GoldenHelper, named taxver.exe.
Sources:
• https//:bleepingcomputer.com/news/security/new-goldenhelper-malware-foundin-official-chinese-tax-software/