author photo
By Clare O’Gara
Fri | Jun 26, 2020 | 12:00 PM PDT

A required tax software for some Western companies with Chinese offices comes with a free bonus: pre-installed malware.

Tax software package includes 'GoldenSpy' backdoor

Paying taxes is already an annoying experience for many. But imagine if the technology you trusted to track your tax liability posed a cybersecurity risk?

That's what happened to a number of Western companies establishing new offices in China, according to a report on the incident from TrustWave Spider Labs. The findings reveal two unsettling examples:

A Chinese bank forced two organizations, a UK-based technology and software vendor and a major financial institution, to download a software package in order to pay local taxes.

But the bank left out a critical detail about the software: it included malware. According to the report:

"A backdoor is hidden within the software package that provides full remote command and control of the victim system, enabling arbitrary remote execution of code, and a remote shell."

How does a secret backdoor like this work? Researchers explain:

"The hidden GoldenSpy backdoor (svm.exe) is covertly downloaded two hours after the Aisino Intelligent tax software installation is completed. It calls out to a Chinese domain with a reputation of distributing variations of GoldenSpy. Svm.exe exfiltrates basic system information and continuously beacons to a remote server for 'updates.' This 'update' functionality enables remote execution of arbitrary code and provides remote command execution capability."

While the exact scope of this threat remains unknown, TrustWave recommends that a user or company that thinks it could be effected go "threat hunting" for the malware on your devices, including active network connections:

"If you confirm presence of this malicious code in your environment, follow your existing IR procedures to document and remediate the incident. Outside of the normal IR procedures there are some special considerations for this software.

Post incident response investigation, reimaging the system and starting from a known good state is preferable, however, if this action is not practical because of business criticality reasons, the malicious elements of the Golden tax software package can be manually removed."

TrustWave offers more details about mitigation in the complete report, which is available here.

Tags: Malware, China,