← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The Golden Tax Department and Emergence of GoldenSpy Malware
Trustwave SpiderLabs, during a recent threat hunting engagement, discovered a Chinese cyber threat targeting corporations operating in China. This report details the attack methodology, suspected entities behind the activity, and protective measures to mitigate risk of being impacted. The following series of events detail the threat.
MITRE ATT&CK & Malware Families
Indicators of Compromise (84)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | ningzhidata.com | — | 2020-06-26 | |
| YARA | 520f6c2d2c64e9001a75271c3be8943cceb735e1 | Malicious code that may be an unknown GoldenSpy variation | 2020-06-26 | |
| FileHash-SHA256 | b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f | — | 2020-06-26 | |
| FileHash-SHA256 | 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7 | — | 2020-06-26 | |
| FileHash-SHA256 | 77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078 | — | 2020-06-26 | |
| FileHash-SHA256 | c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525 | — | 2020-06-26 | |
| FileHash-SHA256 | afcc4ccc4ac0f1eaded6fc2ea704f4e9650942fc317728150676de3af19fb72d | — | 2020-06-26 | |
| FileHash-SHA256 | 4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376 | — | 2020-06-26 | |
| FileHash-SHA256 | f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe | — | 2020-06-26 | |
| FileHash-SHA256 | ffbeaa5947fc467fce27c765a4e8dc08e45c8ca13e583f5271b19e944e0cb8e3 | — | 2020-06-26 | |
| FileHash-SHA256 | 98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1 | — | 2020-06-26 | |
| FileHash-SHA256 | 2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190 | — | 2020-06-26 | |
| FileHash-SHA256 | 41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3 | — | 2020-06-26 | |
| FileHash-SHA256 | afe2bcd5cb2de6349329c42631bfbbdba46d672f6dc515a5bee63cb4265e49f8 | — | 2020-06-26 | |
| FileHash-SHA256 | 853ef8130b50e9fce5f7575afc04374de0232fa5fe6b7b4d97fda7bf17ec58c9 | — | 2020-06-26 | |
| FileHash-SHA256 | a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be | — | 2020-06-26 | |
| FileHash-SHA256 | 39b914c8064becf3df1df39b0517bda05371e90b8b5fe15aad275faac634876f | — | 2020-06-26 | |
| FileHash-SHA256 | 3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655 | — | 2020-06-26 | |
| FileHash-MD5 | 77b8787a1bcda6e18c42c1855d2f1fa0 | MD5 of 98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1 | 2020-06-26 | |
| FileHash-MD5 | 09b4079b039d13b47944e4cc7182f96f | MD5 of 41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3 | 2020-06-26 | |
| FileHash-MD5 | 5002cc2fbcdd2f340e9258f74be8bd1d | MD5 of a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be | 2020-06-26 | |
| FileHash-MD5 | b363e855f613233848a0a89216488bfb | MD5 of 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7 | 2020-06-26 | |
| FileHash-MD5 | 4fc56dd3b3875cda5708451f756426b3 | MD5 of c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525 | 2020-06-26 | |
| FileHash-MD5 | e104c1deefaf379787677fcdc2ec3efc | MD5 of 77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078 | 2020-06-26 | |
| FileHash-MD5 | 1ff67f9f87638321ee19bd79ce5820d4 | MD5 of f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe | 2020-06-26 | |
| FileHash-MD5 | f136481347008770f882e63e76690ae0 | MD5 of b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f | 2020-06-26 | |
| FileHash-MD5 | f27d1590ba0aaad5d3c0831cf3e33df6 | MD5 of 4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376 | 2020-06-26 | |
| FileHash-MD5 | edadf30df18e6a7ea190041cf3bd4a0b | MD5 of 3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655 | 2020-06-26 | |
| FileHash-SHA1 | 6b87a7dac518cb6614e1834d924a9a7827fdff5c | SHA1 of 77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078 | 2020-06-26 | |
| FileHash-SHA1 | a3f74d832da3e790a58d3b028256e83b63a752f7 | SHA1 of f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe | 2020-06-26 | |
| FileHash-SHA1 | 466a4dff21787949f94678be0c9b5c87e22a0bdc | SHA1 of 41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3 | 2020-06-26 | |
| FileHash-SHA1 | 282cc1f9cfec1ae9d07a8a6add327977f405244f | SHA1 of 4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376 | 2020-06-26 | |
| FileHash-SHA1 | 2e82c32bbdcb941dd6534f600a2414d84bbd086d | SHA1 of b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f | 2020-06-26 | |
| FileHash-SHA1 | 5c2064f8fa1dd0268e50a1c33f14a30694640d36 | SHA1 of c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525 | 2020-06-26 | |
| FileHash-SHA1 | b33c269642bf42b8c71988b9ddbe298e00b65ef1 | SHA1 of 3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655 | 2020-06-26 | |
| FileHash-SHA1 | ecd85fe374fe85ff8dc1316cf700cba715e8b89b | SHA1 of a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be | 2020-06-26 | |
| FileHash-SHA1 | f2c7f4d0c5dd576a421f521671c68ff9aac8288d | SHA1 of 98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1 | 2020-06-26 | |
| FileHash-SHA1 | c897972dfd26a07591cabbeeeeeb1db18f2f21d4 | SHA1 of 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7 | 2020-06-26 | |
| YARA | c7d36a685da8c15a0f3f68584bb47cbc354a70e6 | UAC bypass,Updater,Dropper,ServiceDLL | 2020-07-14 | |
| FileHash-SHA256 | 214bc71025a9dd6940fb1320dec8c3d93a127c960453abbfe5d8f33a7bb3c6f2 | SHA256 of bee06d785b7e51a0127a96c5854d4345 | 2020-07-14 | |
| FileHash-SHA256 | 99244e4186047a6531177fd189b3c299efa7db869db7ed307e3afa372913f306 | — | 2020-07-14 | |
| FileHash-SHA256 | 37aa87d3408dc3e211d63a3bb38c726787c47c06a19e77f6a14861a91c2dcb35 | SHA256 of 26e71f1d387298162c1b19e858d001a1 | 2020-07-14 | |
| FileHash-SHA256 | c6244a81580c3db4759c7f58460dc35aff1dfefc4e515cfe892d7b3a6125b275 | SHA256 of 61eed90b1ae70244cd87a3abd3ec622a | 2020-07-14 | |
| FileHash-SHA256 | a1aa0684813cfe9d7ed5c491c8ab132e5583b4fd02187fdae8aa4d934d933f29 | SHA256 of 490d17a5b016f3abc14cc57f955b49b3 | 2020-07-14 | |
| FileHash-SHA256 | eb8b0087e559c57d60df8067e36e0173e14e4c1da6a1a3fbeb550e9097069a97 | SHA256 of 27d448f9d2bed761e15541c55b5966f2 | 2020-07-14 | |
| URL | http://www.baiwang.com/mainsite-new/about | — | 2020-07-14 | |
| URL | http://xz.jskp.jss.com.cn/BwJskp.dat?21105437 | — | 2020-07-14 | |
| URL | http://update.jss.com.cn/interfaceCtr/version.do?version=1.0.4.2.01&type=18&orgcode= | — | 2020-07-14 | |
| URL | https://msitpros.com/?p=3960 | — | 2020-07-14 | |
| URL | https://www.jss.com.cn/Contents/portal/allow/aboutus/about.ftl | — | 2020-07-14 | |
| URL | http://update.axnfw.cn/JSKP_BWB_1.0.4.2.01.exe | — | 2020-07-14 | |
| URL | http://223.112.21.2:8090 | — | 2020-07-14 | |
| URL | http://xz.axnfw.cn/JSKP_BWB_1.0.4.0.exe | — | 2020-07-14 | |
| hostname | xz.jskp.jss.com.cn | — | 2020-07-14 | |
| hostname | info.tax-helper.ltd | — | 2020-07-14 | |
| hostname | download.tax-helper.com | — | 2020-07-14 | |
| hostname | help.tax-helper.ltd | — | 2020-07-14 | |
| hostname | tip.tax-helper.ltd | — | 2020-07-14 | |
| hostname | xz.axnfw.cn | — | 2020-07-14 | |
| hostname | tools.tax-helper.info | — | 2020-07-14 | |
| hostname | update.tax-helper.com | — | 2020-07-14 | |
| hostname | info.tax-assistant.info | — | 2020-07-14 | |
| hostname | update.axnfw.cn | — | 2020-07-14 | |
| hostname | xz.asnfw.cn | — | 2020-07-14 | |
| hostname | info.tax-assistant.com | — | 2020-07-14 | |
| hostname | bbs.tax-helper.info | — | 2020-07-14 | |
| hostname | inf.tax-assistant.com | — | 2020-07-14 | |
| hostname | update.tax-helper.ltd | — | 2020-07-14 | |
| FileHash-MD5 | 27d448f9d2bed761e15541c55b5966f2 | — | 2020-07-14 | |
| FileHash-MD5 | 471c75acc284396354c89616f9030718 | — | 2020-07-14 | |
| FileHash-MD5 | 26e71f1d387298162c1b19e858d001a1 | — | 2020-07-14 | |
| FileHash-MD5 | 40a84b78944235850690c7873924282e | — | 2020-07-14 | |
| FileHash-MD5 | bee06d785b7e51a0127a96c5854d4345 | — | 2020-07-14 | |
| FileHash-MD5 | 61eed90b1ae70244cd87a3abd3ec622a | — | 2020-07-14 | |
| FileHash-MD5 | 682a0826db8572bad205a4db12005e13 | — | 2020-07-14 | |
| FileHash-MD5 | 490d17a5b016f3abc14cc57f955b49b3 | — | 2020-07-14 | |
| FileHash-MD5 | d312336fd46972a544929d0dc4e07b83 | — | 2020-07-14 | |
| FileHash-MD5 | fbb35e8f16e7d5a735f06ae03e8bfaac | — | 2020-07-14 | |
| FileHash-MD5 | 9e2ebdbc9ba4dca69a712e3268f3ab77 | — | 2020-07-14 | |
| FileHash-SHA1 | c27ae6b8ba9ccbd6629803974d23355c7fb07bd5 | SHA1 of bee06d785b7e51a0127a96c5854d4345 | 2020-07-14 | |
| FileHash-SHA1 | 8d11d9aa891c378322eaaa25e8afa3ce9edf2259 | SHA1 of 61eed90b1ae70244cd87a3abd3ec622a | 2020-07-14 | |
| FileHash-SHA1 | ecc74b845278696e41220ea1972e31119a5d0869 | SHA1 of 26e71f1d387298162c1b19e858d001a1 | 2020-07-14 | |
| FileHash-SHA1 | a1bb73f6581ab51457eb7160be8ee4fb18916153 | SHA1 of 490d17a5b016f3abc14cc57f955b49b3 | 2020-07-14 | |
| FileHash-SHA1 | 513bb7d2766addfdd376b359ddb15997b0e8a7fd | SHA1 of 27d448f9d2bed761e15541c55b5966f2 | 2020-07-14 |
References (4)
↗ https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf
↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/#_Toc45185607
↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/
↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/