A US cyber security firm Trustwave has come across a new form of malware potentially targeting foreign companies operating in China. The malware, dubbed GoldenSpy, has been distributed via tax payment software that some buisnesses operating in China are required to install.

In its new report Trustwave said the discovery was made while conducting a threat analysis on behalf of one of its customers, an unnamed company, “a global technology vendor with significant government business in the US, Australia, UK, and recently opened offices in China.”

The researchers found that the company became infected after installing a software developed by the Golden Tax Department of Aisino Corporation, which a local Chinese bank required for paying local taxes.

Although the tax software worked as advertised, the researchers discovered it was sending system information to a suspicious Chinese domain, and installed a hidden backdoor on the system, which allowed threat actors to execute Windows commands or upload and run files.

“Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure,” according to the Trustwave researchers.

The GoldenSpy malware was digitally signed by a company called Chenkuo Network Technology, and appeared to operate completely independent of the tax software, which allowed it to run on the system even if the tax software is uninstalled, the security firm said.

On compromised systems, the GoldenSpy malware is downloaded and executed two hours after the tax software installation process is completed. GoldenSpy has been observed to install two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. The malware uses an exeprotector module that monitors for the deletion of either iteration of itself, and if deleted, it will download and execute a new version.

GoldenSpy attempts to connect to ningzhidata[.]com, a domain known to host other versions of the GoldenSpy malware. After the first three attempts to contact its command and control server, it randomizes beacon times to avoid detection by security solutions designed to spot beaconing malware.

“GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of executing any software on the system. This includes additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc,” the researchers explained.

Trustwave said that the observed campaign has been active since April this year, although the researchers have uncovered the GoldenSpy variants dated back to December of 2016. However, the experts did not find evidence of the GoldenSpy malware being active in the wild since 2016.

“Trustwave SpiderLabs has no current knowledge if GoldenSpy was active in the wild since 2016, our first identification of usage was April 2020. To be clear, we do not yet know the scope, purpose, or actors behind the threat. We do not know whether Chenkuo Technology or Aisino are active and/or willing participants or the extent of their involvement other than what is presented in the report,” the researchers said.