Researchers Discovered Malware Delivered Through Tax Software


Security researchers from Trustwave have discovered another family of malware delivered via tax software which requires Chinese banks to use companies doing business in the country.

The discovery comes just weeks after the security firm published information about GoldenSpy, a backdoor delivered by Aisino Corporation’s Golden Tax Department through the Intelligent Tax application. A uninstaller was sent to compromised computers within days after the initial report was released, to delete GoldenSpy entirely.

Dubbed GoldenHelper, the newly identified piece of malware is delivered through the Baiwang Edition Golden Tax Invoicing Software, which Chinese banks require their customers to install to pay taxes.

Without user consent, the Golden Tax software, which is linked to Aisino, can install, escalate privileges to SYSTEM, and can download and install payloads on system. Trustwave discovered that the application is often implemented as “the bank’s stand-alone machine,” and in some instances companies have been equipped with a Windows 7 machine with the Golden Tax software on it.

GoldenHelper uses SKPC.DLL to communicate with Golden Tax, WMISSSRV.DLL to increase privileges, and a randomly named. DAT file to compile and execute arbitrary SYSTEM privileges code. The main aim of the malware is to download and run taxver.exe, but Trustwave has not yet been able to locate a sample of the payload (though the malware could still be active on compromised systems).

Although they have been unable to confirm that taxver.exe is actually malicious, security researchers point out that legitimate software does not circumvent Windows privileges to elevate rights, does not randomize its position or mask its name, does not attempt to modify DNS records, and is not deficient in version negotiation protocols.

The GoldenHelper initiative was originally running between 2018 and mid-2019, but at the moment it appears to be inactive. Detection rates of samples used in the campaign increased by mid-2019, likely forcing operators to close shop, and the dropper’s domains of command and control (C&C) expired in early 2020.

Accordingly, Trustwave claims that GoldenHelper was potentially GoldenSpy’s precursor, but it is a separate piece of malware. The latter, despite media attention, appears to have started service in April 2020 and to have shut down in late June.

“The deployment process for GoldenHelper might not be operational anymore, but we can not tell whether or not the overall danger faced by taxver.exe is still in service. The GoldenHelper initiative was followed immediately by GoldenSpy and […] we have little doubt that this challenge will continue to develop into a new approach that targets companies with operations in China, “states Trustwave.

NouNou Technology, a subsidiary of Aisino, both owned by the state-owned company CASIC (China Aerospace Science & Industry Corporation Limited), developed GoldenHelper and the tax software which drops it.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.