Malware experts have identified a new threat, which has been dubbed GoldenSpy. According to analysts, there have been two companies that have been breached so far. Both organizations are located in the United Kingdom. One of the affected companies is involved in software development, while the other one operates in the financial sector. What is very intriguing about the GoldenSpy malware is that it was delivered to the targets via a taxation software that was presented as legitimate by a Chinese bank. The bank in question required the affected companies to install the dodgy software. It is unknown if the bank was aware that the taxation software they required their partners to install carried the payload of the GoldenSpy malware.
The GoldenSpy threat serves the purpose of a backdoor Trojan. Once the GoldenSpy malware has compromised a targeted system, it will allow its operators to execute additional files on the host, as well as run remote commands. Upon installing the shady taxation software, the GoldenSpy malware will also be planted on the host. It takes no longer than two hours for the dodgy application to inject the payload of the GoldenSpy malware on the host. Next, the GoldenSpy Trojan will make sure to gain persistence on the host by spawning two copies of its payload and setting up two services, which are programmed to run whenever the infiltrated system is rebooted. This nasty threat also will gain administrator permissions, which will allow it to have almost full control over the breached system. If the user removes one of the copies of the threat, the other one will inject a new payload immediately. Unfortunately, uninstalling the dubious taxation software will not help you rid yourself of the GoldenSpy Trojan.
What makes the GoldenSpy malware so threatening is that the targets may not realize that there is something shady taking place on their systems since the threat was delivered by what appeared to be a legitimate application recommended by a trustworthy partner. Both the infection vector and the Trojan itself are very complex and point to an experienced and highly-skilled group of cybercriminals. We will likely hear about more businesses and organizations targeted by the GoldenSpy threat in the future.