The company issued a second blog post on 30 June — which has not gained as wide publicity as the first did — saying that it had now found a new file being downloaded by the Aisino Intelligent Tax product which deleted the GoldenSpy malware.
In the initial report, Trustwave researcher Brian Hussey said the behaviour of an executable file that had been found in April had raised the suspicions of the research team. The executable was said to exhibit unusual behaviour and send system information to what Hussey described as a "suspicious Chinese domain," which was known to host other Windows malware.
Trustwave's client, a global technology vendor, had told the research firm this was part of the software that their bank in China required them to install. On opening operations in China, their local bank had asked them to install software known as Intelligent Tax made by the Golden Tax Department of Aisino Corporation in order to pay their local taxes.
"Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself with the following command: cmd.exe /c del /q C:\Users\admin\AppData\Local\Temp\AWX.exe. Note the “/c” which will terminate the Windows Command-line interface after the operation is completed and “/d” which will delete without asking permission or giving any notification. Gone without a trace, or even knowing it was there."
But he said while the Trustwave SpiderLabs team was gratified to see its GoldenSpy research and analysis "result in such a rapid course reversal in the Golden Tax threat campaign, we are not so optimistic as to believe that this new development signifies a slowdown in threat actor activity".
"This threat is a clear and present danger, driven by incredibly smart and innovative adversaries. We will allow for the briefest of pats on the back and then return to hunting for the next threat."
Hussey said organisations must "continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate, and socially engineer their way into environments".
He added that the value of the GoldenSpy case-study was not the IOCs (indicators of compromise) provided, it was the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy.
Hussey's new blog post provides intricate details of how the uninstaller for GoldenSpy works.