Trustwave’s security researchers have discovered another malware family delivered through tax software that Chinese banks require companies doing business in the country to use.
The discovery comes only weeks after the security firm published information on GoldenSpy, a backdoor delivered via the Intelligent Tax application produced by the Golden Tax Department of Aisino Corporation. Within days after the initial report was published, an uninstaller was pushed to compromised machines, to completely remove GoldenSpy.
Dubbed GoldenHelper, the newly identified piece of malware is delivered through the Golden Tax Invoicing Software (Baiwang Edition), which Chinese banks require their clients to install in order to pay taxes.
The Golden Tax software, which is linked to Aisino, can install without user consent, can escalate privileges to SYSTEM, and can download and install payloads on the system. Trustwave discovered that the program is sometimes deployed as a “stand-alone system provided by the bank,” and that in some cases organizations were provided with a Windows 7 system with the Golden Tax software on it.
GoldenHelper uses the SKPC.DLL to interact with Golden Tax, the WMISSSRV.DLL to escalate privileges, and a .DAT file with a random name to fetch and run arbitrary code with SYSTEM privileges. The malware’s main goal is to download and run taxver.exe, but Trustwave was not able to find a sample of the payload yet (although the malware might continue to be active on compromised systems).
While they could not confirm that taxver.exe is indeed malicious, the security researchers point out that legitima ..
Support the originator by clicking the read the rest link below.
