Tax software required to conduct business in China has been installing malware on enterprise systems and trying to evade detection, according to cybersecurity researchers.

The team at Trustwave has been monitoring the malware campaign which they originally found on the systems of one of its clients.

“They informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes,” researcher Brian Hussey said.

“As we continued our investigation into the tax software, we found that it worked as advertised.

“But it also installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary.”

Businesses operating in China have to pay a value added tax (VAT).

The payment of VAT is monitored through China’s Golden Tax Project which requires organisations use specific software to lodge and track invoices.

Dubbed ‘GoldenSpy’, the malware found in Aisino’s tax software was downloaded onto its host system two hours after the Intelligent Tax software was installed.

Two versions of the malware were installed and would autostart on boot to maintain persistence with system level privileges.

Trustwave said it could not tell if Aisino was an “active and/or willing” participant in the malware, but recommended that businesses operating in China – especially those using Aisino Intelligent Tax Software – should consider this malware a threat.

Destroying the evidence

Shortly after Trustwave published its original report about GoldenSpy last month, the researchers spotted the Aisino program downloading a new package that silently deleted GoldenSpy from computers.

The uninstaller was designed to remove all registry entries, files, and folders created by GoldenSpy before deleting itself – all through the Windows command line without prompting user action.

“Gone without a trace, or even knowing it was there,” said Hussey.

“In our testing, this GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment.

“However, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner.”

A week later, Trustwave spotted a new version of the same uninstaller downloading quietly on systems with the tax software installed.

This uninstaller was downloaded with the same purpose – to remove any trace of GoldenSpy – except it was designed specifically to evade the detection methods previously shared by Trustwave online.

Enter GoldenHelper

Trustwave’s posts about GoldenSpy led to the discovery of another malware sitting in software distributed by an Aisino subsidiary prior to the launch of GoldenSpy.

From early 2018 to July 2019, a suspicious program was being installed on machines by the tax software.

“The Golden Tax Project is a national program in China, impacting every business operating in China,” Hussey said.

“We are currently aware of only two organisations authorised to produce Golden Tax software, Aisino and Baiwang.

“This is now the second Golden Tax software package that Trustwave SpiderLabs has found to contain a hidden backdoor capable of remotely executing arbitrary code with system level privileges.”

Nicknamed GoldenHelper, the program contained three different .dll files that it used to bypass the Windows User Account Control feature before dropping the taxver.exe payload on the target machine.

While the researchers have not yet been able to dissect a sample of the taxver executable, aspects of its delivery leads them to question the .exe’s legitimacy.

Aside from deliberately bypassing Windows security, the taxver.exe dropper gives it a random extension name (eg .jpg, .gif, .dat, .rar, or .zip) so that network sniffers don’t pick up on an executable being downloaded.

Then a randomiser puts the .exe into one of six different Windows directories – again trying to hide the installer from detection.

Trustwave recommends that “any system hosting third-party applications with a potential for adding a gateway into your environment, be isolated and heavily monitored with strict processes and procedures in their usage”.