New GoldenHelper malware found in official Chinese tax software

A new backdoor dubbed GoldenHelper was discovered by Trustwave embedded within Golden Tax Invoicing Software, part of the Chinese government' Golden Tax Project and required for issuing invoices and paying value-add tax (VAT) taxes.

Last month, researchers at Trustwave SpiderLabs also found the GoldenSpy backdoor hidden within the Intelligent Tax software which companies were required to install to work with Chinese banks.

The newly spotted GoldenHelper backdoor (named after its main command and control domain tax-helper.ltd) is completely different from GoldenSpy, but it uses a very similar delivery method and it's also used to gain access to the networks of international companies doing business in China.

The campaign distributing the GoldenHelper malware was active between January 2018 and July 2019 (command and control domains expired in January 2020), right before the GoldenSpy campaign was launched in April 2020.

At this time, there are only two official providers of VAT tax invoicing software in China, Aisino and Baiwang, and GoldenHelper malicious code was found in the Baiwang edition of the Golden Tax Invoicing Software.

"Although called 'Baiwang Edition', GoldenHelper was digitally signed by NouNou Technologies, a subsidiary of Aisino Corporation, the same company responsible for the Intelligent Tax Software with embedded GoldenSpy malware," Trustwave said today.

GoldenHelper backdoor capabilities

"GoldenHelper malware utilizes sophisticated techniques to hide its delivery, presence, and activity," Trustwave explained.

"Some of the interesting techniques GoldenHelper uses include randomization of name whilst in transit, randomization of file system location, timestomping, IP-based DGA (Domain Generation Algorithm), UAC bypass and privilege escalation."

While examining GoldenHelper, Trustwave discovered that it has multiple questionable features including that it:

• Does not require a user’s permission to install and escalate to SYSTEM level privilege (UAC bypass)
• Randomly generated filenames (Obfuscation)
• Randomly generated “Creation” and “Last write” timestamp (Timestomping)
• Attempts to download an executable using fake filenames with .gif, .jpg, .zip (Obfuscation)
• Hardcoded logic to control download location, what to download and where to place it based on results of DNS resolution (DNS Control)

They also found that, in some cases, the Golden Tax software may also be delivered to companies as a stand-alone system provided by their bank with reports mentioning a ready to use Windows 7 computer (Home edition) with the Golden Tax software preinstalled (including the GoldenHelper backdoor).

GoldenHelper's final payload is a taxver.exe binary that gets downloaded and executed with SYSTEM level privilege from multiple locations on the infected systems.

However, the researchers weren't able to find a sample of this payload and analyze its behavior, therefore its purpose is not yet known.

While the GoldenHelper campaign is no longer active, the security threat posed by this final payload remains since it can't be established if it's still operational.

The Aisino connection

Trustwave found multiple connections between the GoldenSpy and the GoldenHelper backdoors while analyzing the two malware campaigns, with Aisino Corporation playing a central role.

Among the relations between the GoldenSpy and the GoldenHelper campaigns, Trustwave highlights the following:

• A subsidiary of Aisino corporation creates Golden Tax-related software.
• The tax software utilizes dedicated infrastructure and components (installer, uninstaller, updater, and main tax software). Components are installed and uninstalled on user demand and approval and properly conduct legitimate tax operations.
• Hidden malware is installed alongside the legitimate tax software.
• Hidden malware utilizes separate network command and control infrastructure than used by the tax software.
• Hidden malware has the ability to remotely download and execute arbitrary code at SYSTEM level privilege.
• Hidden malware uses obfuscation techniques to hide deployment and communication methodologies.

The diagram embedded below reveals the corporate relationships behind the two malware campaigns, with green being legitimate tax software use, orange highlighting Aisino Corporation and subsidiaries, red the shadow backdoor network infrastructure, and blue the Chinese Golden Tax Project background.

"Trustwave SpiderLabs understands that the VAT tax invoice software is a government requirement and recommends that any system hosting third-party applications with potential for adding a gateway into your environment, be isolated and heavily monitored with strict processes and procedures in their usage," Trustwave said.

"However, there is still a gap in this story. We have not yet identified a sample of the final GoldenHelper payload, taxver.exe. We do not know its purpose, capabilities, or IOCs."

Detailed malware analysis, indicators of compromise (IOCs), and additional details can be found within Trustwave's GoldenHelper technical report.