A cybersecurity firm recently discovered that the official Chinese tax software has a hidden malware program.
The malware appears to be a backdoor that allows its developer access into the user device. Cybersecurity firm Trustwave discovered the malicious program and called it GoldenHelper. It is embedded in the official Chinese government tax software called Golden Tax Project.
The software is usually used for issuing invoices. The software is also used for paying taxes. Experts believe that the software part of a wider suite of spying programs.
Backdoor attacks
According to cybersecurity experts, GoldenHelper uses extremely sophisticated techniques to deliver its payload. It was also purposely designed by its developer to be fundamentally invisible to most antivirus software.
In a statement, Trustwave said:
“Some of the interesting techniques GoldenHelper uses include randomization of name whilst in transit, randomization of file system location, timestamping, IP-based Doman Generation Algorithm, UAC bypass, and privilege escalation.”
A closer inspection of the malware revealed that it does not require permission to escalate its privilege. This means that it can propagate into the target system without requesting higher permissions. It is also capable of covering its tracks by generating random file names.
The latest update to the #GoldenSpy story reveals #GoldenHelper – a precursor malware that might represent an active threat. Read the new research at the @Trustwave @SpiderLabs blog. https://t.co/Sg0vSQQ2PF
— Trustwave (@Trustwave) July 14, 2020
Trustwave said that their investigation also revealed the massive scope of this backdoor attack. In some cases, the Golden Tax software comes pre-installed in a system provided by the bank. The firm added that banks are using computers running Windows 7 Home Edition.
Once inside the system, the GoldenHelper backdoor will unload its taxver.exe binary payload. The payload is then executed with system-level privileges on multiple locations on the target computer.
Scope of the attack still unknown
Trustwave was able to detect and track the existence of the GoldenHelper malware. However, the firm was unable to extract and analyze a sample of its payload. This means that the exact scope of its attack vector and behavior is still unknown.
The cybersecurity firm said that the GoldenHelper backdoor campaign is no longer active. However, the threat remains since the exact purpose of its final payload is still unknown.
The Trustwave investigation leads them to the Aisino Corporation. The firm believes that the two malware, GoldenSpy, and GoldenHelper, have something to do with the Aisino Corporation. Whether the company is responsible for the propagation of these malicious codes is unknown.
Since the final payload of the GoldenHelper malware was not examined, it is still an active threat. Nevertheless, no recent cyberattacks have been linked to it.
Image courtesy of Yuttanas/Shutterstock