web analytics
News and Threat Analysis

CHINESE GOLDEN SPY MALWARE IN THE NAME OF GOLDEN TAX DEPARTMENT

In this new era of increasing attacks, new malwares are taking new form to exploit the big firms. This Coronavirus has caused damage to many organisations. The controversy about China and its Cyber attacks when they targeted an Australian firm, even now afraid everyone. Being attacked physically and socially, Chinese Cyber criminals have not stopped to make a reign of their cyber terror. Researching about their Cyber attacks, some researchers from Trustwave SpiderLabs has discovered a new malware family, operating in China, named as GoldenSpy which is attacking corporation in the name of tax payment software, making them install a software that contains a backdoor which allow attackers to get full access of the victim’s system.

We all know that China is the world’s largest manufacturer of the electronic products. Any competitor whenever tries to make their presence in the market, China break the backbone of that industry . The attack that researchers observe is the similar one. This attack clearly proves that China will not allow any competitors to stand against them in the world. So let’s see the analysis of this attack.

ANALYSIS OF THE ATTACK

One of the clients of Trustwave Spiderlabs which has its operating centers worldwide. This attack comes into place when their global client decided to start operating in China. When they started, Chinese bank advised them to install a tax paying software that was originally named as “Intelligently tax” produced by Golden Tax Department of of Aisino Credit Information. In addition to collect tax,this software install some additional executable files called svm.exe and svmm.exe from a subdomain download.ningzhidata.com and installed them in the C drive of the victim’s system as an auto start services in the background. The install of these executable were initiated by the plugin.exe which comes bundled with the tax paying software and starts installing these executable after a time gap so that victim remains unaware about what is going in the background.

After these two files get successfully installed in the system, they collect information about the victim’s system and establish a connection to the www.ningzhidata.com on port number 9006 of the victim’s system.This domain is registered by Alibaba and it acts a Command and Control Server to execute arbitrary command on the victim’s system. These two executable svm and svmm are capable of reinstalling each other which means that if either of them gets unistalled, other will resinstall it.

These tools are operated at the kernel level which makes them even more dangerous that they can even get privileges that user might not have on its own system. These two executables svm and svmm are the malware which is named as Golden Spy by the researchers with MD5 hash as 2c5557250cbd3f7ff3f778aa4fc6e479. One of the most interesting fact that these operators observed about this malware is that malware(svm.exe) is digitally signed by a Chinese tech firm named as Nanjing Chenkuo Network Technology. The Cyber criminals had made a trap for their victims to fall prey to them. These Cyber criminals used the name of two big firms Aisino Corporation and Nanjing Chenkuo Network Technology to build trust .

CONCLUSION

We see how Chinese Cyber criminals are launching state sponsored attacks. In the above attack, the name of the big firms didn’t let anyone doubt on the authenticity of this software . We, at Ethical Debuggers suggest you to not install any of the Chinese softwares in any form unless or until the you know the company personally .