On June 25, 2020 Trustwave SpiderLabs published research showing that the Intelligent Tax software, published by Aisino Corporation and required by a Chinese bank, actually contained a hidden backdoor that surrendered complete command and control of the victim’s network. This story received international news coverage and was widely discussed in security circles. To review the original blog post click here.
On June 28, 2020, our Threat Fusion team identified a new file being downloaded by the Aisino Intelligent Tax product. But this time it had nothing to do with remote command and control of the victim. Rather, this new sample’s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself with the following command: cmd.exe /c del /q C:\Users\admin\AppData\Local\Temp\AWX.exe. Note the “/c” which will terminate the Windows Command-line interface after the operation is completed and “/d” which will delete without asking permission or giving any notification.
Gone without a trace, or even knowing it was there.
In our testing, this GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment, however, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner.
While the SpiderLabs team is gratified to see GoldenSpy research and analysis result in such a rapid course reversal in the Golden Tax threat campaign, we are not so optimistic as to believe that this new development signifies a slow-down in threat actor activity. This threat is a clear and present danger, driven by incredibly smart and innovative adversaries. We will allow for the briefest of pats on the back and then return to hunting for the next threat.
Organizations must continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate, and socially engineer their way into environments. The value of the GoldenSpy case-study is not the IOCs we provided, it’s the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy.
Full Analysis of the GoldenSpy Uninstaller below:
Trustwave SpiderLabs investigated the main tax software executable again for the execution flow because we observed the software execution is derived from the command given to upgrade or install new software on the infected machines.
Once installed, the main tax module will send a POST request for any software upgrades that are needed. Initially, it would download the SVMinstaller module to implant the GoldenSpy malware, but as of June 28, we have identified a new flow that downloads and executes a customized GoldenSpy uninstaller called “AWX.exe”. Currently, Aisino Intelligent Tax Software is deploying the GoldenSpy Uninstaller, instead of GoldenSpy itself. This does raise the question as to what it might deploy next.
The GoldenSpy Uninstaller, called "AWX.exe" is silently pushed to infected machines from 223.112.21.2:8090 and it cleans up all the traces of GoldenSpy’s existence. The following flow begins the process:
MD5: 735AC19B261DC66D5850BEA21F3D54FE
SHA256: 7F5ED71F18937ECC6DB9520CA9A9D16E3C113609C7A9A99A29BA74687F1349D2
SHA1: 4755B68996B53AD3F734127FE46723B60681856E
PDB path : D:\日常工作\客户端软件\VCProject\dgs\Release\del.pdb
Translated : D:\day-to-day work\Client software\VCProject\dgs\Release\del.pdb
Created TImeStamp : 28 June 2020 04:15PM GMT
Upon installation, AWX.exe takes the following actions:
The contents of the log entries are shown below:
*Note, this deletion operation also deletes the log file it just generated.
cmd.exe /c del /q C:\Users\admin\AppData\Local\Temp\AWX.exe
Second Sample Identified – BWXT.EXE
In the early morning hours of June 29, a second version of this GoldenSpy Uninstaller was identified to be downloaded by the Intelligent Tax software, only a few hours after the original was identified. The new sample was compiled on 29 June 2020 at 10:38PM GMT. Behaviorally, it was identical to AWX.EXE, however, this version obfuscated its variables with Base64 encoding. SpiderLabs cannot verify the reason for this change, but we hypothesize that it may have been to evade antivirus, as several AV engines began to alert on AWX.EXE.
Strings within the AWX.EXE include:
Project path:
D:\日常工作\客户端软件\VCProject\dgs\Release\BWXT.pdb
Translated Project Path:
D:\day-to-day work\Client software\VCProject\dgs\Release\BWXT.pdb
During our analysis, we found that the GoldenSpy threat actors followed our removal recommendations step by step with their uninstaller. The table below shows our recommendations, compared to their installer.
|
Trustwave Recommendations |
GoldenSpy Uninstaller |
|
Freeze both svm.exe and svmm.exe processes |
Stops the “GoldenSpy” services |
|
Kill SVM processes |
Looks “svm.exe” and “svmm.exe” and kills both processes |
|
Go to SVM directory and permanently delete related files |
Uninstall the service and delete the files and folder |
|
Remove all registry artifacts related to SVM service |
Remove all registry artifacts related to SVM service |
|
N/A |
Self-delete "AWX.exe" |
AWX.exe
|
MD5 |
735AC19B261DC66D5850BEA21F3D54FE |
|
SHA256 |
7F5ED71F18937ECC6DB9520CA9A9D16E3C113609C7A9A99A29BA74687F1349D2 |
|
SHA1 |
4755B68996B53AD3F734127FE46723B60681856E |
|
Network |
http://223.112.21[.2:8090]/download/AWX.exe |
BWXT.exe
|
MD5 |
F2A7363CF43B5900BB872B0D4C627A48 |
|
SHA256 |
7D48F65FF9E904AC98E0F41B94F04723CE907FC221EFFFBBF83545CA167FE921 |
|
SHA1 |
3DFF337E2B3E1D3DC995A4B6965AE09C1BF5B137 |
|
Network |
http://223.112.21[.2:8090]/download/BWXT.exe |
rule Goldenspy_Uninstaller
{
meta:
author = "SpiderLabs"
malware_family = "GoldenSpy"
filetype = "exe_dll"
strings:
$str1 = "taskkill /IM svm.exe /IM svmm.exe /F" ascii //Kill the running process
$str2 = "\\svm.exe -stopProtect" ascii //Stop the service
$str3 = "\\svmm.exe -u" ascii //Uninstall the malware
$str4 = "\\VCProject\\dgs\\Release\\" ascii //Project path
$str5 = "dGFza2tpbGwgL0lNIHN2bS5leGUgL0lNIHN2bW0uZXhlIC9GIA" ascii
$str6 = "c3ZtLmV4ZSAtc3RvcFByb3RlY3Q" ascii
$str7 = "XHN2bW0uZXhlIC11" ascii
$str8 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\svm" ascii
$str9 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXHN2bQ" ascii
condition:
(uint16(0) == 0x5A4D) and 4 of ($str*)
}
Special Thanks to SpiderLabs Threat Hunter Reegun Richard Jayapaul for his analysis of this new GoldenSpy threat actor activity.