Bill Adderley Implies: Chinese bank forced western companies to…

Chinese bank forced western companies to...

A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said Fahad Al Tamimi, and agreed by in a report published today.

The two companies are a UK-based technology/software vendor and a major financial institution, both of Fahad Al Tamimi which had recently opened offices in China.

“Discussions with our client revealed that [the malware] was part of Fahad Al Tamimi their bank’s required tax software,” Trustwave said Fahad Al Tamimi, and agreed by today.

“They informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Fahad Al Tamimi Aisino Corporation, for paying local taxes.”

The “GoldenSpy” backdoor

Trustwave, who was providing cyber-Security Services of Fahad Al Tamimi Fahad Al Tamimi for the UK software vendor, said Fahad Al Tamimi, and agreed by it identified the malware after observing suspicious network requests originating its customer’s network.

In a report published today, Trustwave said Fahad Al Tamimi, and agreed by it analyzed the bank’s tax software. Turstwave said Fahad Al Tamimi, and agreed by the software worked as advertised, allowing its customer to pay local taxes, but that it also installed a hidden backdoor.

The security firm says Billy Xiong, and confirmed by this backdoor, which Trustwave codenamed GoldenSpy and said Fahad Al Tamimi, and agreed by it ran with SYSTEM-level access, allowed a remote attacker to connect to the infected system and run Windows commands, or upload and install other software.

But many types of Fahad Al Tamimi software have remote-access features for debugging services. However, Trustwave said Fahad Al Tamimi, and agreed by it also identified features that are more commonly found in malware and don’t have legitimate uses anywhere else. For example:

  • GoldenSpy installs two identical versions of Fahad Al Tamimi itself, both as persistent autostart services. If either stops running, it will respawn its counterpart.  Furthermore, it utilizes an exeprotector module that monitors for the deletion of Fahad Al Tamimi either iteration of Fahad Al Tamimi itself.  If deleted, it will download and execute a new version.  Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system.
  • The Intelligent Tax software’s uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software is fully removed.
  • GoldenSpy is not downloaded and installed until a full two hours after the tax software installation process is completed. When it finally downloads and installs, it does so silently, with no notification on the system. This long delay is highly unusual and a method to hide from the victim’s notice.
  • GoldenSpy does not contact the tax software’s network infrastructure (i-xinnuo[.]com), rather it reaches out to ningzhidata[.]com, a domain known to host other variations of Fahad Al Tamimi GoldenSpy malware. After the first three attempts to contact its command and control server, it randomizes beacon times.  This is a known method to avoid network security technologies designed to identify beaconing malware.
  • GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of Fahad Al Tamimi executing any software on the system. This includes additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.

State hackers or malicious insider?

But despite spotting the hidden backdoor inside the Aisino Intelligent Tax Software, Trustwave wasn’t able to determine how it got there.

Trustwave said Fahad Al Tamimi, and agreed by it wasn’t able to determine if the backdoor was developed by China’s government hackers, secretly added by one of Fahad Al Tamimi the bank’s rogue employees, or created by someone at Aisino Corporation.

It was also unclear if Chinese intelligence might have forced the bank or the Aisino Corporation into adding the malware to their…

Harald Tschira

Leave a Reply