A government-mandated value-added tax (VAT) software is silently installing a backdoor malware on the networks of the US-based companies operating in China, the US Federal Bureau of Investigation agency has issued an alert.
GoldenHelper, GoldenSpy malware on the rise
The backdoor poses some serious trouble and challenges since it allows the execution of unauthorized code. Attackers can not only infiltrate networks but they can also steal proprietary data from the US-based companies operating in China.
Furthermore, local Chinese laws make the installation of this particular value-added tax (VAT) software compulsory to all non-Chinese companies for taxation purposes, the FBI has warned. The FBI also said it spotted the backdoor malware in two of the only government-mandated VAT software.
Officials say Baiwang and Aisino are the only government-authorized tax software service providers in China. So, the FBI spotting malware in the VAT software provided by these two companies makes matters worse. Chances are that all foreign companies operating in China are likely affected by this security issue.
In two separate incidents since July 2018, foreign companies impacted by the issue have already discovered the presence of GoldenHelper and GoldenSpy malware on their networks.
“Trustwave SpiderLabs has discovered malware embedded in Chinese tax software. This campaign was active in 2018-2019, prior to the GoldenSpy campaign and is hidden in the Golden Tax Invoicing Software (Baiwang Edition), required by Chinese banks for payment of VAT taxes,” Information security company Trustwave said.
“The new malware is entirely different from GoldenSpy, although the delivery modus operandi is highly similar. We named this family GoldenHelper, based on its association with the Chinese National Golden Tax project and one of the primary Command and Control domains: help.tax-helper.ltd,” it further added.
Once exploited, the malware does not require a user’s permission to install and escalate to SYSTEM level privilege, and it uses randomly generated filenames as well as timestamps. It further attempts to download an executable using fake filenames with .gif, .jpg, .zip.
This malware uses different .dll files to interface with the Golden tax software, bypass Windows security, escalate privileges, and execute arbitrary code with SYSTEM level privilege. Ultimately, it drops the final malware payload, which could then be located in several locations in the file system.
At the moment, affected companies are investigating the matter further.
In related news, researchers recently caught a Chinese state-sponsored hacking group targeting India and Hong Kong, courtesy of new malware campaigns.
