A mysterious uninstaller has been discovered in malware-laden tax software required for download by firms doing business in China, according to Trustwave.
The security vendor explained last week how it discovered a backdoor it named GoldenSpy inside Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation. A Chinese bank requires its business clients to download the software.
The security vendor claimed at the time that the powerful backdoor, which allowed for complete remote control of a victim’s network, could not be removed, even if Intelligent Tax was uninstalled.
However, after attracting widespread publicity, the backdoor has now been joined by a new file, discovered by Trustwave’s Threat Fusion team.
“This new sample’s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself,” explained the firm’s VP of cyber-threat detection and response, Brian Hussey.
“This GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment. However, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner.”
It’s still unclear who seeded the original malware in the tax software. It could either have been done without the knowledge of the bank, or is part of a much wider conspiracy designed to monitor foreign firms doing business in the Middle Kingdom.
The swift appearance of an uninstaller would seem to favor the latter theory, as it’s unlikely that cyber-criminals would care if they were found out.
“Organizations must continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate and socially engineer their way into environments,” Hussey argued.
“The value of the GoldenSpy case study is not the IOCs we provided, it’s the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy.”