GoldenSpy
GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software.GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | GoldenSpy can execute remote commands via the command-line interface.[1] |
| Enterprise | T1136 | .001 | Create Account:Local Account | |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | GoldenSpy has established persistence by running in the background as an autostart service.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.[1] | |
| Enterprise | T1083 | File and Directory Discovery | GoldenSpy has included a program "ExeProtector", which monitors for the existence ofGoldenSpy on the infected system and redownloads if necessary.[1] | |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.[2] |
| Enterprise | T1105 | Ingress Tool Transfer | GoldenSpy constantly attempts to download and execute files from the remote C2, includingGoldenSpy itself if not found on the system.[1] | |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | GoldenSpy's setup file installs initial executables under the folder |
| Enterprise | T1106 | Native API | GoldenSpy can execute remote commands in the Windows command shell using the | |
| Enterprise | T1571 | Non-Standard Port | GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.[1] | |
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | GoldenSpy's uninstaller has base64-encoded its variables.[2] |
| Enterprise | T1195 | .002 | Supply Chain Compromise:Compromise Software Supply Chain | GoldenSpy has been packaged with a legitimate tax preparation software.[1] |
| Enterprise | T1082 | System Information Discovery | ||
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion:Time Based Checks | GoldenSpy's installer has delayed installation ofGoldenSpy for two hours after it reaches a victim system.[1] |