'GoldenSpy' tax software attackers try to erase evidence of malware

'GoldenSpy' tax software attackers try to erase evidence of malware

The actors behind a campaign to spread GoldenSpy malware via tax accounting software used by customers of a Chinese bank have recently attempted to distribute an uninstaller that deletes the backdoor in an apparent attempt to cover up their illicit activities.

In a previous company blog post and threat reportTrustwave and its SpiderLabs team identified the accounting software as Intelligent Tax, which was reportedly developed by China-based Aisino Corporation, and digitally signed by a second Chinese company, Chenkuo Network Technology. It is unknown if the bank (which Trustwave left unnamed), Aisino, Chenkuo Network Technology, or another party such as the Chinese government was actively behind the scheme. 

Now, in a follow-up blog post, Trustwave reports that it observed the new uninstaller, called AWX.exe, on June 28.

Trustwave says the purpose of the installer is to delete any trace of evidence that GoldenSpy ever existed on an infected machine — including registry entries, files and folders. The uninstaller even automatically deletes itself.

The tax software can execute the installer via a command for upgrading or installing new software. Normally, it would download an SVMinstaller module to implant GoldenSpy, “but as of June 28, we have identified a new flow that downloads and executes” the uninstaller,” reports blog post author Brian Hussey, VP of cyber threat detection and response at Trustwave.

“In our testing, this GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment; however, as the deployment of th ..