The distribution of the GoldenSpy Trojan, a prominent remote access malware, has been found to infect users via a legitimate Chinese tax application. It appears that the virus code is bundled from within the software and is made part of the required software installation.
Legitimate Chinese Tax Applications Used To Deploy the GoldenSpy Trojan
A newly detected malware known as the Goldenspy Trojan is being delivered through a Chinese tax software bundle. The discovery was made on the company workstations of two technology and software vendors registered in the UK along with a major financial institution (no name is given at this moment) that have recently opened their own offices in China. These companies have reached out to a cybersecurity company as part of their setup operations. During the audit it was revealed that suspicious code was found in their tax software.
Upon further investigation into the matter it was revealed that this program was a requirement for the companies to be used by their Chinese banks. The companies stated that this software was part of their onboarding package issued by the bank when they have opened their branches. The application is used to pay local taxes to the government. However upon taking a deeper look it appears that this suspicious code is actually a malware called the GoldenSpy Trojan.
Goldespy Trojan Activity: Hidden in Sight
The GoldenSpy Trojan is described as a remote access Trojan which upon being delivered to the target systems obtains SYSTEM-level privileges. This means that it is capable of launching local commands with administrative privileges, edit important settings and also deploy other applications, including malware. Apart from having the classic remote access features which allow the criminals to take over control of the infected hosts there are some distinct features that are not found in other similar threats:
- The GoldenSpy Trojan will install two versions of itself and set them to run when the computer boots. If one of them is stopped for some reason the other will take over control. This is also useful as the active working Trojan instance will constantly protect its file from deletion. If one of the core malware files is removed from the system a newer version will be retrieved from a remote server.
- The backdoor code will remain installed in the system even if the carrier tax software program is removed.
- The GoldenSpy Trojan is installed in a delayed manner. This is done in order to hide its presence from administrators and security tools that perform pattern recognition checks as their method for scanning for viruses.
- The GoldenSpy Trojan will not initiate contact with the network used by the tax software. Rather than it will initiate a connection to an infrastructure used by the malware. It uses a randomized beacon which is used in order to evade network detection.
- The GoldenSpy Trojan does have the ability to carry out extensive system changes. This means that it can edit out Windows Registry values, important configuration files and boot options in order to make it very difficult to identify the threat.
At this moment it is not known if the GoldenSpy Trojan is the work of the state government, the banks or the hackers have breached the software and inserted the malware code. We expect that more information will be published soon as more and more vendors and companies are made aware. A request for comment has been sent to the financial institution who has been found to distribute the Trojan.