Security Market Segment LS
Sunday, 28 June 2020 18:54

Trustwave finds new Windows malware targeting firms doing business in China Featured

Trustwave finds new Windows malware targeting firms doing business in China Image by Gerd Altmann from Pixabay

Chicago-based security firm Trustwave claims to have found a new Windows malware family, which it has crhistened GoldenSpy, that is embedded in tax payment software that a Chinese bank requires companies to install to do business with it in China.

Trustwave researcher Brian Hussey said in a detailed blog post that the behaviour of an executable file that was found in April had raised the suspicions of the research team. A white paper on the topic is here and can be downloaded after registration.

The executable was said to exhibit unusual behaviour and send system information to what Hussey described as a "suspicious Chinese domain," which was known to host other Windows malware.

Trustwave's client, a global technology vendor, told the research firm this was part of the software that their bank in China required them to install. On opening operations in China, their local bank had asked them to install software known as Intelligent Tax made by the Golden Tax Department of Aisino Corporation in order to pay their local taxes.

The report has been released at a time when US-China tensions are high in the rundown to the US presidential elections in November.

Hussey said while software worked as advertised, it also installed a hidden backdoor that would allow a remote operator to execute Windows commands or to upload any execute any binary - which could have been ransomware, trojans or other malware.

"Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure," Hussey said. "Based on this, and several other factors, we determined this file to have sufficient characteristics to be malware. We’ve since fully reverse-engineered the files and named the family GoldenSpy."

The digital signature used for GoldenSpy was from a company named Chenkuo Network Technology and it used identical text for both product and description fields: 认证软件版本升级服务 – which translates to “certified software version upgrade service”.

Hussey said the name sounded like legitimate software, but the tax software already had its own updater service that functioned well in a way that was completely unrelated to GoldenSpy.

He cited the following characteristics which he termed suspicious:

  • Two identical versions of GoldenSpy got installed, both as persistent autostart services. If either stopped running, it would respawn its counterpart. Additionally, it used an exeprotector module that tracked deletion of either iteration. If deleted, it would download and execute a new version, making it exceedingly difficult to remove this file from an infected system.
  • The Intelligent Tax software’s uninstall feature did not uninstall GoldenSpy but left it running as an open backdoor into the environment, even after the tax software was fully removed.
  • GoldenSpy was not downloaded and installed until two hours after the tax software installation. The installation was quiet, with no notification. This long delay was highly unusual and a method to hide from the victim’s notice.
  • GoldenSpy did not contact the tax software’s network infrastructure (i-xinnuo[.]com), but instead reached out to ningzhidata[.]com, a domain registered on 22 September 2019 known to host other variations of GoldenSpy malware. After the first three attempts to contact its command and control server, it randomised beacon times. This is a known method to avoid network security technologies designed to identify beaconing malware.
  • GoldenSpy operated with SYSTEM level privileges, which meant it could run any software on the system, including additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.

Hussey said he had contacted Aisino Corporation and Nanjing Chenkuo Network Technology about these findings. No response had been received by the time the white paper was to be published.

"We recommend immediately removing any Aisino Tax software which includes mechanisms to download GoldenSpy. If this is not possible for business-criticality reasons, take steps to remove GoldenSpy specifically, hunt for the IOC’s provided in this report, and blacklist all malicious code and C2 servers from your network," Hussey added.



Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.




Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Webinars & Events