author photo
By Clare O’Gara
Tue | Jul 28, 2020 | 10:42 AM PDT

Last month, SecureWorld News covered the curious case of two companies with Chinese operations, local taxes, and a secret digital backdoor.

"A Chinese bank forced two organizations, a UK-based technology and software vendor and a major financial institution, to download a software package in order to pay local taxes.

But the bank left out a critical detail about the software: it included malware."

Trustwave called the backdoor GoldenSpy, issuing a warning about the threat.

The companies received an uninstaller for the backdoor. But a few weeks later, Trustwave discovered another backdoor, this time named GoldenHelper.

Now, the U.S. Federal Bureau of Investigations is jumping on the concerns surrounding this Chinese malware whack-a-mole.

FBI issues new warning against Chinese tax software

In a recent FBI Flash alert, the FBI released a warning against secret backdoors in Chinese tax software.

The caution is particularly important if your company has offices in China and operates in one of these three industries:

  1. Healthcare
  2. Chemical
  3. Finance

The FBI identifies these groups are particularly at-risk, given China's previous tendencies toward the chemical and finance sectors paired with recent concerns about China's role in COVID-19 data theft.

According to the alert, this threat is believed to have existed since 2016, with several encounters since the June 2020 incident:

"In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from

Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program. In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company's network."

The FBI offers these mitigation strategies for at-risk companies:

  • Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers for known vulnerabilities and software processing Internet data, such as web browsers, browser plugins, and document readers.
  • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
  • Strengthen credential requirements and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Change passwords and do not reuse passwords for multiple accounts.
  • Recommend developing a network baseline to allow for the identification of anomalous account activity. Identify and suspend access of users exhibiting unusual activity.
  • Network device management interfaces, such as Telnet, SSH, Winbox, and HTTP, should be turned off for WAN interfaces and secured with strong passwords and encryption when enabled.
  • Identify and suspend access of users exhibiting unusual activity.
  • When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.
  • Be mindful of new and existing cyber infrastructure for work and bioscience collaborations.

Geopolitics and cybersecurity

For more on nation-state threat actors, including geopolitics and cybersecurity, listen to our podcast episode with CNN military analyst and retired Air Force Colonel, Cedric Leighton:

[RELATED: 8 Steps Huawei Took to Steal IP from T-Mobile and Cover It Up]

Tags: Malware, China,