However, both the malware function in a similar way. The backdoor malware gains entry into the international company’s network operating in China to steal information. The GoldenHelper campaign distribution was active between January 2018 to July 2019 (the operations ceased to exist after January 2020). It should be noted that the GoldenSpy campaign also became active in April 2020.
The malware uses intelligent techniques to cover its usage activity when it’s in function. Popular methods include using arbitrary files pattern, systems locations, and names while in transition. “The Golden Tax Project is a national program in China, impacting every business operating in China. We are currently aware of only two organizations authorized to produce Golden Tax software, Aisino, and Baiwang. This is now the second Golden Tax software package that Trustwave SpiderLabs has found to contain a hidden backdoor capable of remotely executing arbitrary code with SYSTEM level privileges,” says Trustwave in its report.
About GoldenHelper’s Activity
- It doesn’t ask user permission to gain access (UAC Bypass)
- Obfuscation- Randomization of file names
- Timestomping- Randomization while generating timestamps of “creation” and “last write.”
- Arbitrarily downloads executable using fake file names.
“During our investigation, we have been informed that the Golden Tax software may be deployed in your environment as a stand-alone system provided by the bank. Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and GoldenHelper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a trojan horse,” says Trustwave in a report published on its website.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.