Back in June 2020, cybersecurity researchers spotted an interesting piece of malware – the GoldenSpy threat. This threat is a backdoor, which was distributed in a rather intriguing manner. Instead of using conventional distribution techniques, the GoldenSpy backdoor was planted on the targeted systems via a legitimate tax application. The targets were businesses and organizations that worked with a Chinese bank, which required them to install the tax software, which carried the payload of the GoldenSpy threat. It is not yet known whether the Chinese bank in question deliberately spread the GoldenSpy malware, or they were oblivious of the malicious application.
After looking further into this case, cybersecurity analysts spotted another piece of malware distributed using the same infection vector – the GoldenHelper threat. The GoldenHelper hacking tool and the GoldenSpy malware are rather different threats. According to researchers, the GoldenHelper threat is older than the GoldenSpy malware – the former appears to have been active since 2018, while the latter was just spotted last month. The GoldenHelper hacking tool was found embedded in an application called 'Golden Tax Invoicing Software.'
There is one company that seems to be associated with both the GoldenHelper malware and the GoldeSpy threat – the Aisino Corporation. This company was established in 2000 and originates from China. The Aisino Corporation is affiliated with a company called NouNou Technologies. The latter company certified the tax software, which was used for the distribution of the GoldenHelper malware. The NouNou Technologies company was also associated with the software that propagated the GoldenSpy malware – the 'Intelligent Tax' application.
Some of the features found in the GoldenHelper implant are designed to keep it as stealthy as possible. For example, its components do not use hardcoded names and, instead, their names are randomly generated. Furthermore, it uses an exploit to bypass User Account Control (UAC) without alerting the victim. Finally, it has a Domain Generation Algorithm (DGA) to randomize the connection to the control servers.
Companies need to be very careful when it comes to installing new software on their networks even if it comes from a trustworthy partner like in the case with the tax applications distributing the GoldenSpy and GoldenHelper threats.