Aisino tax software installed GoldenSpy
A Chinese bank required companies to install Aisino Intelligent Tax, which silently deployed GoldenSpy. The backdoor ran as SYSTEM and survived removal of the tax software.
Story
A multinational company opened operations in China and installed the local tax software its bank required. The software was Intelligent Tax, produced by the Golden Tax Department of Aisino Credit Information. It did the tax work, but it also carried something else.
Trustwave found GoldenSpy inside that trust boundary in 2020. The backdoor did not install immediately. It waited about two hours after Intelligent Tax finished, then installed silently under %WinDir%\System32\PluginManager and ran as an autostart Windows service with SYSTEM privileges.
GoldenSpy did not use the normal tax-software infrastructure. It contacted ningzhidata.com and related command servers over non-standard HTTP ports. It collected host information, executed Windows commands, uploaded and downloaded files, and could install more binaries. Removing Intelligent Tax did not remove GoldenSpy.
After Trustwave published, Intelligent Tax began pushing an uninstaller instead of the backdoor. That cleanup tool removed files, registry entries, logs, and itself. CERT-FR later noted a second uninstaller sent from July 1 with changes that appeared designed to evade Trustwave's YARA rule. The response looked like a cover track, not a fix.
Affected Artifacts
- Observed
- 2020-04-01 to 2020-06-28
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:c1d7873a21d28ba995725f958741948f0d750b1e18311341682b56f257025642
- sha256:1536924c856093919f4f697f83225471094e4868131226a996d75a738080b0e6
- sha256:5953fc590db6ab347840ccbf10f09a0b1bb48d38309067a1d65c34cb3ce82f4b
- Evidence
- distribution: download.i-xinnuo.com/products/IntelligentTaxSetup.exe, mirror: trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-whos-really-pulling-the-strings, mirror: virustotal.com/gui/file/c1d7873a21d28ba995725f958741948f0d750b1e18311341682b56f257025642, mirror: virustotal.com/gui/file/1536924c856093919f4f697f83225471094e4868131226a996d75a738080b0e6 , +31 more
- Trustwave observed GoldenSpy active in April 2020 and reported an uninstaller pushed by Intelligent Tax on June 28, 2020.
- FBI/IC3 reported in July 2020 that Aisino and Baiwang were the only government-authorized VAT software providers and that use of one provider was required for US companies operating in China's market.
- FBI/IC3 said GoldenSpy was believed to have been around since 2016, but the public Trustwave Aisino incident timeline begins with observed April 2020 activity.
- CERT-FR later used GoldenSpy as a case study in mandatory untrusted software and recommended isolating such software from the rest of an enterprise network.
- Attribution remains unattributed in the primary Trustwave reporting; the record avoids assigning this to a named government or state actor.
Incident Context
- Motive
- Espionage Data Theft
- Attribution
- Group
- Cause
- Official Software Inclusion
- Transitive
- No
- Actor
- Unknown actor
- User Impact
- 1000
External References
- Chinese Government-Mandated Tax Software Contains Malware, Enabling Backdoor Accessic3.gov
- Integration of Untrusted Software - The Case of GoldenSpycert.ssi.gouv.fr
- The Golden Tax Department and the Emergence of GoldenSpy Malwaretrustwave.com
- GoldenSpy: Chapter Two - The Uninstallertrustwave.com
- GoldenSpy Chapter 3: New and Improved Uninstallertrustwave.com
- Chinese bank forced Western companies to install malware-laced tax softwarezdnet.com
- 'GoldenSpy' Malware Hidden in Tax Software Spies on Companies Doing Business in Chinadarkreading.com
- Chinese Software Company Aisino Uninstalls GoldenSpy Malwaredarkreading.com
- GoldenSpy, Software S0493attack.mitre.org
- GoldenSpy: Who's Really Pulling the Strings?trustwave.com
- GoldenSpy Supply Chain Attack Hits Organizations Operating in Chinacrowdstrike.com
Source record: proprietary/aisino/meta.yaml