Chinese Bank Required Two Western Companies to Use Tax Software With a Hidden Backdoor

A Chinese bank required at least two western companies to install malware-laced tax software, according to a new report from the cyber-security firm Trustwave.

“The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China,” reports ZDNet: “Discussions with our client revealed that [the malware] was part of their bank’s required tax software,” Trustwave said Thursday… Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating from its customer’s network… Trustwave said the software worked as advertised, allowing its customer to pay local taxes, but that it also installed a hidden backdoor. The security firm says this backdoor, which Trustwave codenamed GoldenSpy and said it ran with SYSTEM-level access, allowed a remote attacker to connect to the infected system and run Windows commands, or upload and install other software…

GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart… The Intelligent Tax software’s uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software is fully removed. GoldenSpy is not downloaded and installed until a full two hours after the tax software installation process is completed. When it finally downloads and installs, it does so silently, with no notification on the system.