Malware found in Chinese tax program may have been targeting Ministry of Defence
A US cyber security firm has discovered a new form of malware potentially targeting foreign companies operating in China, which has been embedded in compulsory tax software and installs a hidden backdoor to allow remote access to computer systems.
The malware, dubbed GoldenSpy, was discovered by Trustwave SpiderLabs while conducting a threat assessment of a global technology vendor with clients including the British, US and Australian defence ministries.
The investigating team believes that if had remained undetected, the malware could have given hackers a first crucial step towards accessing sensitive data from government networks, presenting a long-term cyber security threat.
A report released by Trustwave SpiderLabs on Thursday outlines the details of the unique software, which it found after identifying an executable file displaying highly unusual behavior and sending system information to a suspicious Chinese domain.
The client revealed that the file was part of their bank’s required tax software that they had been asked to install when they set up operations in China in order to pay local taxes.
“As we dug deeper, we found there was a lot more to this tax software than our clients knew,” Brian Hussey, Trustwave’s vice president of cyber threat detection and response, and a former FBI investigator, told The Telegraph.
“You install this tax software and it works legitimately as it should, but two hours after the installation of the software - when you can assume the administrator has already left and is not paying attention - it silently installs a back door that gives full remote command and control,” he explained.
“It runs at the system level, meaning the highest privileged level you could possibly have. It gives a remote shell, in the sense that I can run Windows commands, create new users, do lateral movements, create new administrators, change passwords, network reconnaissance, execute other malware,” Mr Hussey added.
The investigating team discovered the malware was highly sophisticated and difficult to uninstall, with triple layer protection.
GoldenSpy installs two identical versions of itself meaning that if either stops running, it will respawn its counterpart. It also uses an exeprotector module that downloads and executes a new version if either of the original two is deleted.
Trustwave has identified similar activity at a global financial institution, but it is still investigating whether the unnamed technology vendor was targeted specifically with the intention of zoning in on its defence ministry clients.
“It’s not like you would walk right in but it’s a long game with these threat actors and it would be giving them the first step into the network,” said Mr Hussey.
“Then they would have to be able to move laterally to own this network further and then based on their connections they would have to try to pivot into the Department or Ministry of Defence.”
Trustwave discovered various versions of the backdoor through its investigation but has appealed to other companies who may have been affected to contact them so that they can widen their investigation and determine the scope of the problem.
Their report does not identify who may be behind the malicious technology, citing a lack of evidence.
However, Mr Hussey who worked for several years for the FBI to identify Chinese state-sponsored cyber threats, said the modus operandi of the malware fit with a similar narrative of operating in a stealthy manner to gather intelligence.
“The Chinese cyber army is massive. They’ve got countless full-time operators and intelligence analysts working on hacking into the US, UK, any western country,” he said.
“Sometimes they are looking to government agencies for intelligence, sometimes they are looking at corporations for research and development to be first to market, sometimes they are just looking for a pivot point to get into their final destination but the army is massive and very active.”
