A total of five uninstallers designed to remove the GoldenSpy backdoor from infected computers have been identified by security researchers at Trustwave.
The GoldenSpy malware was initially identified in late June, and was possibly deployed since April 2020, through an official tax application required to be installed by foreign companies doing business in China. The financial software worked as expected but a hidden backdoor was also installed.
Called GoldenSpy, GoldenHelper, another malware family silently installed through official Chinese tax software, was later found to have preceded the backdoor. The FBI released an warning in late June to notify United States healthcare, pharmaceutical, and finance organizations of the threat.
Shortly after the initial GoldenSpy report was published in late June, the actors behind it leveraged the updating mechanism within the tax software to deliver an uninstaller to the infected machines and remove the malware and additional artifacts, including the uninstaller, completely.
Trustwave today revealed that a total of five uninstallers of GoldenSpy have been released to date, some of which have been uploaded to public repositories, thereby increasing their detection rates.
“Understanding the attackers were watching our every move to help GoldenSpy-impacted organizations, we waited for a period of time and with our threat hunting strategy we kept quietly following. What we found is that they continue to push new GoldenSpy uninstallers – so far we’ve discovered five variants that total 24 uninstaller files, “says Trustwave.
All the uninstaller variants identified show identical behavior although some use different execution flows and string obfuscation. The uninstallers also differ in size, helping them to avoid detection.
Analysis of the uninstallers allowed the security researchers to discover that subsequent samples would send a unique ID to the ningzhidata domain[.]com, starting with the third variant, allowing the opponent to track the activity of the code.
The investigation also revealed that the code will use the IP 39[.]98[.]110[.]234 for a third stage beacon, and the security researchers connected the address to Ningbo Digital Technology Co., Ltd, a company which claims to provide technical support to professional companies and technology service providers.
The company offers two download files on their website which were described by Trustwave as a GoldenSpy dropper (called an iclient) and the GoldenSpy uninstaller (called QdfTools). Ningbo Digital Technology says it offers the uninstaller as “Software for the detection and cleaning of the enterprise service environment.”
“Based on these results, we may claim that Ningbo Digital Technology Co., Ltd is involved in the creation of the CDN server ‘GoldenSpy Uninstaller’ and ningzhidata[.]com,” concludes Trustwave.