Trustwave Holdings has published a report implicating a Chinese bank in an apparent malware operation targeting several corporate Western users of Microsoft Windows.
Trustwave – an infosec subsidiary of Singapore’s Singtel – reported that it identified this suspected malware software as installed by “at least” two Western entities – a UK tech company, and what’s described as a “major financial institution” – also headquartered in the West.
It seems like the suspect software – which Trustwave’s researchers have dubbed GoldenSpy, deeming it to contain a backdoor, alongside its legitimate tax-filing purpose – found its way onto these companies’ systems when they recently inaugurated their Chinese offices. The Chinese bank they were working with – which also as of now remains unnamed – then, unsurprisingly, imposed the requirement of installing a local tax package, so they could keep up with the financial law of the land.
Trustwave’s name for this package, that the company says contained backdoor malware, is derived from the software company – Aisino, and the tax product developed by its Golden Tax Department.
Aisino is a Chinese corporation that produces electronic and telecommunication equipment on the hardware side of its business – but also tax and anti-fraud software systems.
Software backdoors, meanwhile, are installed to stealthily and most often illegally provide remote access to a device by bypassing encryption and authentication executed on it.
However, allowing remote access in and of itself doesn’t meant that a software package is malicious, reports are saying. But Trustwave announced that this was not the only clue that led it to say the Chinese bank was imposing malware onto its Western clients operating in the domestic market.
And while Trustwave still has no idea where the software originated – Aisino, the bank, the Chinese government (and the intelligence community behind it), or unrelated hackers – the report goes into some detail to explain the way it says differentiates “GoldenSpy” from other remote-access requesting software running for legitimate purposes, like debugging.
“GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. Furthermore, it utilizes an EXEprotector module that monitors for the deletion of either iteration of itself. If deleted, it will download and execute a new version. Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system,” said Trustwave.
Best not install Aisino’s tax program if you are a Western entity working in China – seems to the be the overall message here.