Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Chinese tax software bundled with GoldenSpy backdoor targets western companies

A new malware dubbed GoldenSpy is being distributed embedded in tax payment software that some businesses operating in China are required to install. GoldenSpy is a new backdoor that is being distributed embedded in tax payment software (the Aisino Intelligent tax software) that some businesses operating in China are required to install. The campaign is […]

GoldenSpy

A new malware dubbed GoldenSpy is being distributed embedded in tax payment software that some businesses operating in China are required to install.

GoldenSpy is a new backdoor that is being distributed embedded in tax payment software (the Aisino Intelligent tax software) that some businesses operating in China are required to install.

The campaign is active since at least April 2020, but experts found some samples that suggest the attacks begun at least December 2016.

In October 2016, Chenkuo Technology announced a partnership with Aisino for “big data cooperation. However, it is not clear the role of the companies in the attacks.

According to the security firm Trustwave, a Chinese bank has forced at least two western companies to install tainted tax software.

The two companies recently opened offices in China, they are a UK-based technology vendor and a major financial institution.

“Trustwave SpiderLabs has identified a new threat targeting corporations conducting business in China. The victim company is required to install software that will enable payment of local taxes.” reads the report published by Trustwave. “However, a backdoor is hidden within the software package that provides full remote command and control of the victim system, enabling arbitrary remote execution of code, and a remote shell.”

Experts noticed that the software covertly installs the hidden GoldenSpy backdoor (svm.exe) two hours after the tax software is installed.
The backdoor attempts to connect a Chinese domain that was used in past campaign to distribute the GoldenSpy, it allows to gather basic system information and continuously beacons to a remote server for “updates.” The “update” functionality enables GoldenSpy to remotely execute arbitrary code and implements remote command execution capability.

“Svm.exe gathers system information and exfiltrates it to www.ningzhidata[.]com on port 9006. The malware maintains persistence by monitoring itself and if the process is stopped, it will respawn.” continues the report. Additionally, it sends requests to a remote server to update itself (a method to execute additional operations), and it stands open as a backdoor into the environment enabling the command and control server to upload and execute arbitrary code or commands with System privileges.”

The backdoor is digitally signed by a company named Chenkuo Network Technology. Experts noticed that once installed GoldenSpy is independent of the tax software, this means that even installing the Intelligent Tax software, the GoldenSpy will continue to work.

The Svm.exe installs itself as two services named SVM and SVMM, and has two main functions:

  • ExeProtector that spawns off a separate thread to protect svm.exe and svmm.exe, it also allows the malware to achieve persistence.
  • Connects to a C2 that in turn sends additional commands

Trustwave experts are not able to determine the full scope of the GoldenSpy campaign and its real extent.

The report published by Trustwave includes recommendations to mitigate the risk of attacks and Indicators of Compromise (IoCs) for this campaign.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, GoldenSpy)

[adrotate banner=”5″]

[adrotate banner=”13″]