When a U.K.-based technology vendor started doing business in China, it hired a cybersecurity firm to proactively hunt for any digital threats that could arise as part of doing business in the country. The firm discovered a problem, one with such major implications that it alerted the FBI.
A state-owned bank in China had required the tech company to download software called Intelligent Tax to facilitate the filing of local taxes. The tax software worked as advertised, but it also installed a hidden back door that could give hackers remote command and control of the company’s network, according to a report published Thursday by the SpiderLabs team at Chicago-based Trustwave Holdings Inc. (The cybersecurity firm declined to identify the bank).
“Basically, it was a wide-open door into the network with system-level privileges and command and control server completely separate from the tax software’s network infrastructure,” Brian Hussey, vice president of cyber threat detection and response at Trustwave, wrote in a blog post, also published Thursday. The malware, which Trustwave dubbed GoldenSpy, isn’t downloaded and installed until two hours after the tax software installation is completed, he said.
Trustwave researchers determined that the malware connects to a server hosted in China.
It isn’t known how many other companies downloaded the malicious software, nor is the purpose of the malware clear or who is behind it, according to the report. Trustwave said it disrupted the intrusion at the tech company in the early stages. “However, it is clear the operators would have had the ability to conduct reconnaissance, spread laterally and exfiltrate data,” according to the report, adding that GoldenSpy had the characteristics of an Advanced Persistent Threat campaign. Such efforts are often associated with nation-state hacking groups.
Besides its client, Trustwave said it was aware of a “highly similar incident” that occurred at a major financial institution, which it didn’t name. “This could be leveraged against countless companies operating and paying taxes in China or may be targeted at only a select few organizations with access to vital information,” Trustwave wrote in its report. “We believe all corporations with Chinese operations should investigate for presence of GoldenSpy and remediate if necessary.”
Aisino Corporation, the developer of the Intelligent Tax software, didn’t respond to a request for comment, and Trustwave said it didn’t hear back from the company after alerting it to the malware discovery. Hussey said he briefed the Federal Bureau of Investigation on the findings on Wednesday.
Trustwave researchers believe the threat became active in April 2020, but they also discovered other variations of GoldenSpy going back to December 2016. It wasn’t clear what the hackers were after once it had successfully gained access to the tech company’s network, as they were discovered before they could exfiltrate data, Hussey said in an interview. Because the malware is included as part of software recommended by a bank, a target may be lulled into a false sense of security, Hussey said.
The malware was digitally signed by another Chinese company, Nanjing Chenkuo Network Technology, which helped it bypass the U.K. tech company’s anti-virus and security systems, according to Trustwave. When Trustwave reached out to Nanjing about the malware, its emailed bounced back, Hussey said. The malware is built to persist inside of a company’s network — when one part of the malware is shut down, another part will re-install the malicious program, according to the report.
Trustwave is asking businesses and computer security researchers with information about the malware to contact them.