GoldenSpy Malware Embedded in Official Golden Tax Software

During major fiscal reforms in 1994, China began a value-add tax (VAT) system requiring businesses to pay tax on the difference of their revenue represented on invoices and their expenses. During this same timeframe the “Golden Tax Project” (GTP) was launched to centralize VAT tax invoicing and fight against tax fraud using sophisticated software and spearheaded by the former Premier of the State Council, Comrade Zhu Rongji.

On June 25th 2020, the Trustwave SpiderLabs team issued an Emerging Threat Report about the GoldenSpy backdoor malware. In the full report they concluded that while they were not aware of any ongoing attack, the backdoor had several characteristics that could lead to a major compromise.

As reported, the GoldenSpy malware is installed as part of the mandated Tax Software produced by Aisino. The suspicious characteristics of GoldenSpy are:

• Covert download; two hours after the Intelligent Tax software is installed.
• Two autostart services created to monitor and restart itself.
• Uninstalling the tax software does not uninstall the GoldenSpy binaries.
• Beaconing traffic to a domain that is not related to the tax software.
• Running with system level privileges and allowing for remote code execution.

Since the Trustwave SpiderLabs report went public, the team has discovered the Aisino tax software downloading and running an uninstaller, removing all evidence of the GoldenSpy malware. Again, the team released the information to the public via the Trustwave SpiderLabs blog: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/