A large, multinational technology company got a nasty surprise recently as it was expanding its operations to China. The software a local bank required the company to install so it could pay local taxes contained an advanced backdoor.
The cautionary tale, detailed in a report published Thursday, said the software package, called Intelligent Tax and produced by Beijing-based Aisino Corporation, worked as advertised. Behind the scenes, it also installed a separate program that covertly allowed its creators to remotely execute commands or software of their choice on the infected computer. It was also digitally signed by a Windows trusted certificate.
Researchers from Trustwave, the security firm that made the discovery, have dubbed the backdoor GoldenSpy. With system-level privileges to a Windows computer, it connected to a control server located at ningzhidata[.]com, a domain Trustwave researchers said is known to host other variations of the malware. The backdoor included a variety of advanced features designed to gain deep, covert, and persistent access to infected computers.
According to Thursdays post, those features include:
- GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. Furthermore, it utilizes an exe protector module that monitors for the deletion of either iteration of itself. If deleted, it will download and execute a new version. Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system.
- The Intelligent Tax softwares uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software is fully removed.
- GoldenSpy is not downloaded and installed until a full two hours after the tax software installation process is completed. When it finally downloads and installs, it does so silently, with no notification on the system. This long delay is highly unusual and a method to hide from the victims notice.
- GoldenSpy does not contact the tax softwares network infrastructure (i-xinnuo[.]com), rather it reaches out to ningzhidata[.]com, a domain known to host other variations of GoldenSpy malware. After the first three attempts to contact its command and control server, it randomizes beaRead More – Source [contf] [contfnew]
arstechnica
[contfnewc] [contfnewc]
