1. Home
  2. Software
  3. GoldenSpy

GoldenSpy

GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[1]

ID: S0493
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 23 July 2020
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

GoldenSpy's setup file installs initial executables under the folder %WinDir%\System32\PluginManager.[1]

Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

GoldenSpy has been packaged with a legitimate tax preparation software.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

GoldenSpy has established persistence by running in the background as an autostart service.[1]

Enterprise T1136 .001 创建账户: Local Account

GoldenSpy can create new users on an infected system.[1]

Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

GoldenSpy can execute remote commands via the command-line interface.[1]

Enterprise T1071 .001 应用层协议: Web Protocols

GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.[1]
Enterprise T1083 文件和目录发现

GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.[1]

Enterprise T1106 本机API

GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.[1]

Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

GoldenSpy's uninstaller has base64-encoded its variables. [2]
Enterprise T1070 .004 移除指标: File Deletion

GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.[2]
Enterprise T1082 系统信息发现

GoldenSpy has gathered operating system information.[1]

Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

GoldenSpy's installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.[1]

Enterprise T1105 输入工具传输

GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[1]

Enterprise T1041 通过C2信道渗出

GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.[1]

Enterprise T1571 非标准端口

GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.[1]

References

  1. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  1. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.