GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[1]

ID: S0493
Platforms: Windows
Version: 1.0
Created: 23 July 2020
Last Modified: 19 August 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

GoldenSpy can execute remote commands via the command-line interface.[1]

Enterprise T1136 .001 Create Account: Local Account

GoldenSpy can create new users on an infected system.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

GoldenSpy has established persistence by running in the background as an autostart service.[1]

Enterprise T1041 Exfiltration Over C2 Channel

GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.[1]

Enterprise T1083 File and Directory Discovery

GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.[2]

Enterprise T1105 Ingress Tool Transfer

GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

GoldenSpy's setup file installs initial executables under the folder %WinDir%\System32\PluginManager.[1]

Enterprise T1106 Native API

GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.[1]

Enterprise T1571 Non-Standard Port

GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.[1]

Enterprise T1027 Obfuscated Files or Information

GoldenSpy's uninstaller has base64-encoded its variables. [2]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

GoldenSpy has been packaged with a legitimate tax preparation software.[1]

Enterprise T1082 System Information Discovery

GoldenSpy has gathered operating system information.[1]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

GoldenSpy's installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.[1]