In June, Trustwave reported the discovery of a dangerous new malware family dubbed GoldenSpy, hidden within tax payment software mandated by China Tax Bureau (CTB) for all businesses operating in the country.
This took an unexpected turn soon after Trustwave posted its findings and advice on how to defeat the unusually persistent malware. It quickly became apparent that the threat actors behind the malware had not only read Trustwave’s report, but then took swift action to reverse existing malware infections and attempt cover their tracks. In this Q&A, Brian Hussey, VP of cyber threat detection and response at Trustwave, discusses the ongoing game of cat and mouse between the security pros and threat actors.
First of all, what is GoldenSpy and how dangerous is it?
We first discovered GoldenSpy in April 2020 after the Trustwave SpiderLabs Threat Fusion team took on a proactive threat hunt on behalf of a global technology vendor. Among other findings, we detected an executable file that was sending system information to a suspicious Chinese domain. It soon became apparent that the activity came from Intelligent Tax Software tax payment program created by Aisino Corporation and mandated by CTB as part of the Golden Tax System.
Digging deeper, we discovered that the software worked as advertised, but also harbored a sophisticated piece of malware that established a backdoor for adversaries to remotely execute system commands. The threat actors on the other end would have free reign to exfiltrate data and install ransomware and other malware, making it a very dangerous piece of software.
Using officially mandated tax software as a cover is also an extremely effective and devious attack method. All organizations wishing to do business in China will need to download a copy of this software to file their taxes. However, its most outstanding trait was perhaps its ability to defend from removal.
What made GoldenSpy so hard to remove?
GoldenSpy’s creators established extremely effective multi-layered defenses to ensure its persistence. First, the malware always installed two versions of itself, both of which automatically execute on start-up. The two copies watch each other’s backs – if one stops running, the other re-spawns it. Likewise, if a copy is deleted, its counterpart will re-install a replacement.
The fact that GoldenSpy is hidden within fully functional tax software means that most IT admins will not think twice about granting it the elevated permissions it requests and will be unlikely to spot anything amiss without proactive threat hunting. Further, even if the original tax software is deleted, GoldenSpy will remain and keep the back door open. GoldenSpy’s defenses are some of the most effective we’ve ever seen, rendering it functionally immortal without the help of experienced security personnel.
How did the threat actors react to your discovery?
As remarkable as GoldenSpy’s defensive setup is, things became more extraordinary once we published our findings on the 25th June. Three days later our Threat Fusion team identified a new file being downloaded by the Aisino Intelligent Tax Software. But rather than being some new malicious attack tool, the update was solely focused on eradicating any trace of GoldenSpy. And it worked like a charm – the malware effectively vanished into thin air, even with our trained eyes knowing what to look for. The uninstaller removed all registry entries, files and folders relating to GoldenSpy, before deleting itself for good measure. Notably, these deletions are carried out without the need to ask permission or give any kind of notification.
A final twist occurred when we published our discovery of this deletion activity. Within a few short hours, they issued a new and improved uninstaller that was specifically designed to evade the detection methods we laid out.
It should be noted that we did not detect any malicious activity from GoldenSpy in the short timeframe between its detection and deletion, so it is possible that it was not intended for cyber crime. However, the hasty and covert nature of the deletion is extremely suspicious.
How unusual is it for threat actors to react so quickly to threat reports?
Very unusual. Cyber security has always been a game of cat and mouse, with the attackers and defenders constantly trying to out maneuverer each other and thwart the other side’s latest move. But in most cases, this is a scenario that plays out over a long timeframe. When security analysts publish new findings and defense advice, we usually expect threat actors to act on it over a few weeks or months. In all my years leading proactive threat hunts, I have never seen an adversary respond almost in real time to our blogs.
How did it feel to know you had the criminals on the run?
Very satisfying! It’s always very rewarding when our threat hunting work uncovers and defeats such an advanced adversary to protect organizations. Seeing the reaction in real time is really something else.
At the same time, you almost have to feel sorry for them. GoldenSpy was the culmination of a great deal of work stretching back a year or more – we determined domains used with the malware were registered in 2019, for example. All that work creating such a sophisticated piece of malware with such powerful defenses, and our team discovered it and outed it just a few weeks into the campaign. Putting myself in their shoes, I’d be pretty upset.
Is this the last of GoldenSpy?
I’d love to say that such a sound defeat inspired the threat actors to leave their lives of crime and turn their considerable skills to legitimate programming. But realistically, although this iteration of GoldenSpy is dead in the water we can certainly expect to see more malware from the individuals.
Reinforcing this, we have more recently discovered evidence that points to the group behind GoldenSpy being even more organized and well resourced. After publishing our findings on GoldenSpy, we uncovered a predecessor we dubbed GoldenHelper. This older malware uses a near identical delivery method, hiding within Golden Tax Invoicing Software (Baiwang Edition) – another piece of tax software produced by a subsidiary of Aisino, the developer of GoldenSpy’s hiding place.
This malware itself is actually an entirely different code base to GoldenSpy and is equipped with cunning defenses including the randomization of the file system location and file names while in transit, as well as the use of timestomping to alter timestamps. Despite these differences, the extremely similar modus operandi leads us to believe the same creators are behind it.
While we don’t yet have a clear picture of the perpetrators, the signs point to a very skilled and experienced group. All organizations doing business in China should prepare for future attacks attempting to exploit the Golden Tax System.
This puts businesses between a rock and hard place, as they must download the mandated software to comply with the tax payment system – and only two companies are licensed to produce compliant tax software. Those organizations with no choice but to install the software should take precautions to identify any covert threats along the lines of GoldenSpy and GoldenHelper. Undertaking a proactive threat hunt is one of the most effective ways of detecting the subtle signs that one of these well-hidden pieces of malware is at work.
Brian Hussey, VP of cyber threat detection and response, Trustwave