Sie sind auf Seite 1von 4

Informative Note

Detection Date 12:20 17/07/2020 ID 202007171220

Audience Aiuken’s Clients

Title
Possible
Impact High Probability [5-50%)
Risk Medium

Issue

Recently, a piece of malware (nicknamed GOLDENSPY) was discovered, being


distributed within tax payment software that certain entities making business
in China are required to install. The discovery triggered further investigations,
allowing the finding of GOLDENHELPER malware, the predecessor of the first.

• Initially GOLDENSPY was discovered within two UK-based companies that were forced
to install Chinese tax software
• GOLDENHELPER (predecessor) was discovered after further investigations were
conducted, due to the suspicion that GOLDENSPY created

GOLDENHELPER campaign is suspected to target clients of Chinese banks. It was produced by


NOUNOU Technology, a subsidiary of AISINO. Its evolution, GOLDENSPY, was found in two
UK-based companies that had recently opened offices in China. One of the companies is a
technology/software vendor and the other is a major financial institution. GOLDENSPY was
found to be digitally signed by CHENKUO NETWORK TECHNOLOGY.

• An unknown number of clients of Chinese Banks was affected by GOLDENHELPER


• At least, two UK-based companies were affected by GOLDENSPY
• Malware is signed by CHENKUO NETWORK TECHNOLOGY

GOLDENHELPER campaign was likely run between 2018 and mid-2019, but it appears to be
defunct now. GOLDENSPY’s campaign is suspected to have started operation in April 2020.
However, the oldest GOLDENSPY samples are dated two months after CHENKUO Technology
announced a partnership with AISINO in October 2016. The full scope of the GOLDENSPY
campaign, and whether the organizations were targeted or not are unknown questions.

• GOLDENHELPER had been on “production” from 2018 to 2019.


• GOLDENSPY has existed since 2016 but distributed in April 2020.
• No information about the extent of GOLDENSPY’s campaign.
aiuken.com
Informative Note

GOLDENSPY is downloaded and automatically executed two hours after the tax software has
been installed. It installs two versions of itself, both as persistent AutoStart services. If any of
those stops running, it will respawn its counterpart. If any of those is uninstalled, the other
will download and execute a new version. GOLDENSPY is a backdoor with the highest of level
privileges on the host where it was installed, separate from the tax software’s network
infrastructure.

• Fake models are physically and operationally like an authentic Cisco’s ones
• No finding of any backdoor-like functionality was made
• “motives were likely limited to making money by selling the components”

The Intelligent Tax software's uninstall feature will not uninstall GoldenSpy. After these
findings, Aisino Intelligent Tax product was observed pushing “AWX.exe.” to stealthily remove
GoldenSpy and all traces of compromise, including registry entries and the malware’s files and
folders.

Matrix Annex

Confirmed
Medium risk Medium risk High risk High risk Very high risk
[95 – 100] %
Very likely
Medium risk Medium risk Medium risk High risk High risk
[75 – 95) %
Likely
Low risk Medium risk Medium risk Medium risk High risk
[50 – 75) %
Possible
Low risk Low risk Medium risk Medium risk Medium risk
[5 – 50) %
Uncertain
Very low risk Low risk Low risk Medium risk Medium risk
[0 - 5) %
Very low Low Medium High Very high
impact impact impact impact impact
Low disruption Severe disruption Deep and long
Low disruption Severe disruption
over non-essential over non-essential disruption over
over essential to over essential to
to production to production essential to
production assets production assets
assets assets production assets

aiuken.com
Informative Note

Annexes
IOC’s:

eb8b0087e559c57d60df8067e36e0173e14e4c1da6a1a3fbeb550e9097069a97
a1aa0684813cfe9d7ed5c491c8ab132e5583b4fd02187fdae8aa4d934d933f29
c6244a81580c3db4759c7f58460dc35aff1dfefc4e515cfe892d7b3a6125b275
37aa87d3408dc3e211d63a3bb38c726787c47c06a19e77f6a14861a91c2dcb35
99244e4186047a6531177fd189b3c299efa7db869db7ed307e3afa372913f306
214bc71025a9dd6940fb1320dec8c3d93a127c960453abbfe5d8f33a7bb3c6f2
3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655
39b914c8064becf3df1df39b0517bda05371e90b8b5fe15aad275faac634876f
a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be
853ef8130b50e9fce5f7575afc04374de0232fa5fe6b7b4d97fda7bf17ec58c9
afe2bcd5cb2de6349329c42631bfbbdba46d672f6dc515a5bee63cb4265e49f8
41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3
2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190
98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1
ffbeaa5947fc467fce27c765a4e8dc08e45c8ca13e583f5271b19e944e0cb8e3
f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe
4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376
afcc4ccc4ac0f1eaded6fc2ea704f4e9650942fc317728150676de3af19fb72d
c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525
77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078
20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7
b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f

513bb7d2766addfdd376b359ddb15997b0e8a7fd
a1bb73f6581ab51457eb7160be8ee4fb18916153
ecc74b845278696e41220ea1972e31119a5d0869
8d11d9aa891c378322eaaa25e8afa3ce9edf2259
c27ae6b8ba9ccbd6629803974d23355c7fb07bd5
c897972dfd26a07591cabbeeeeeb1db18f2f21d4
f2c7f4d0c5dd576a421f521671c68ff9aac8288d
ecd85fe374fe85ff8dc1316cf700cba715e8b89b
b33c269642bf42b8c71988b9ddbe298e00b65ef1
5c2064f8fa1dd0268e50a1c33f14a30694640d36
2e82c32bbdcb941dd6534f600a2414d84bbd086d
282cc1f9cfec1ae9d07a8a6add327977f405244f
466a4dff21787949f94678be0c9b5c87e22a0bdc
a3f74d832da3e790a58d3b028256e83b63a752f7
6b87a7dac518cb6614e1834d924a9a7827fdff5c

9e2ebdbc9ba4dca69a712e3268f3ab77
fbb35e8f16e7d5a735f06ae03e8bfaac
d312336fd46972a544929d0dc4e07b83
490d17a5b016f3abc14cc57f955b49b3
682a0826db8572bad205a4db12005e13
61eed90b1ae70244cd87a3abd3ec622a
bee06d785b7e51a0127a96c5854d4345
40a84b78944235850690c7873924282e
26e71f1d387298162c1b19e858d001a1
471c75acc284396354c89616f9030718
27d448f9d2bed761e15541c55b5966f2
edadf30df18e6a7ea190041cf3bd4a0b
f27d1590ba0aaad5d3c0831cf3e33df6
aiuken.com
Informative Note
f136481347008770f882e63e76690ae0
1ff67f9f87638321ee19bd79ce5820d4
e104c1deefaf379787677fcdc2ec3efc
4fc56dd3b3875cda5708451f756426b3
b363e855f613233848a0a89216488bfb
5002cc2fbcdd2f340e9258f74be8bd1d
09b4079b039d13b47944e4cc7182f96f
77b8787a1bcda6e18c42c1855d2f1fa0

hxxp://223[.]112[.]21[.]2:8090
hxxp://update[.]axnfw[.]cn/JSKP_BWB_1[.]0[.]4[.]2[.]01[.]exe
hxxp://update[.]jss[.]com[.]cn/interfaceCtr/version[.]do?version=1[.]0[.]4[.]2[.]01&type=18&
orgcode=
hxxp://www[.]baiwang[.]com/mainsite-new/about
hxxp://xz[.]axnfw[.]cn/JSKP_BWB_1[.]0[.]4[.]0[.]exe
hxxp://xz[.]jskp[.]jss[.]com[.]cn/BwJskp[.]dat?21105437
hxxps://msitpros[.]com/?p=3960
hxxps://www[.]jss[.]com[.]cn/Contents/portal/allow/aboutus/about[.]ftl

223[.]112[.]21[.]2
bbs[.]tax-helper[.]info
download[.]tax-helper[.]com
help[.]tax-helper[.]ltd
inf[.]tax-assistant[.]com
info[.]tax-assistant[.]com
info[.]tax-assistant[.]info
info[.]tax-helper[.]ltd
ningzhidata[.]com
tip[.]tax-helper[.]ltd
tools[.]tax-helper[.]info
update[.]axnfw[.]cn
update[.]jss[.]com[.]cn
update[.]tax-helper[.]com
update[.]tax-helper[.]ltd
www[.]jss[.]com[.]cn
xz[.]asnfw[.]cn
xz[.]axnfw[.]cn
xz[.]jskp[.]jss[.]com[.]cn

aiuken.com

Das könnte Ihnen auch gefallen