Chinese banks were asking their customers to install software that creates backdoors

There is a case in which a company operating in China sends system information to a suspicious Chinese domain, and a security company, Trustwave Spider Labs, conducted an investigation and found that the software requested by the bank to install I found that the door was created and ready to upload and execute arbitrary binaries. Trustwave SpiderLabs names this file ' GoldenSpy '.

The Golden Tax Department and the Emergence of GoldenSpy Malware | Trustwave

Chinese bank requires foreign firm to install app with covert backdoor | Ars Technica

The said file was included in the tax software 'Intelligent Tax' made by Aisino, which a Trustbank customer company requested to install when a local bank started operations in China.

This file, named by Trustwave as 'Golden Spy,' acts as tax software as advertised in general, as well as creating backdoors for the system and uploading arbitrary binaries such as ransomware and Trojans. It was ready to run.

According to a survey, GoldenSpy is not downloaded at the same time as the installation of Intelligent Tax, it is downloaded two hours after the installation process of Intelligent Tax is completed, and there is no notification of completion of download and installation. This delay makes it harder for victims to notice that they have GoldenSpy installed.

Also, GoldenSpy registered two identical versions as an automatic start service, and if one stopped, the other was restarted. In addition, the monitoring module made it possible to download and run a new version once it was deleted, making it very difficult to delete files from an infected system. Of course, uninstalling Intelligent Tax does not uninstall GoldenSpy.

However, Trustwave's client companies have confirmed that they have GoldenSpy installed, but it's unclear whether they were targeted to access critical data or to all companies doing business in China. That.

According to a Trustwave analyst, GoldenSpy's activity could be traced back to December 2016, but the first sign of backdoor use was this April 2020 case. is.

in Security, Posted by logc_nt