Pulse Detail — Threat Intelligence

PULSE NAME

The Golden Tax Department and Emergence of GoldenSpy Malware

WHITE AlienVault 2020-06-26 Modified: 2020-11-19

IOCs

HIGH VOLUME

Trustwave SpiderLabs, during a recent threat hunting engagement, discovered a Chinese cyber threat targeting corporations operating in China. This report details the attack methodology, suspected entities behind the activity, and protective measures to mitigate risk of being impacted. The following series of events detail the threat.

GoldenSpy China

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1065 T1205 T1105 T1071 T1050 T1112 T1105 T1082

MALWARE FAMILIES

GoldenSpy

Indicators of Compromise (15 / 84 total)

All domain YARA FileHash-SHA256 FileHash-MD5 FileHash-SHA1 URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	6b87a7dac518cb6614e1834d924a9a7827fdff5c	SHA1 of 77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078	2020-06-26
FileHash-SHA1	a3f74d832da3e790a58d3b028256e83b63a752f7	SHA1 of f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe	2020-06-26
FileHash-SHA1	466a4dff21787949f94678be0c9b5c87e22a0bdc	SHA1 of 41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3	2020-06-26
FileHash-SHA1	282cc1f9cfec1ae9d07a8a6add327977f405244f	SHA1 of 4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376	2020-06-26
FileHash-SHA1	2e82c32bbdcb941dd6534f600a2414d84bbd086d	SHA1 of b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f	2020-06-26
FileHash-SHA1	5c2064f8fa1dd0268e50a1c33f14a30694640d36	SHA1 of c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525	2020-06-26
FileHash-SHA1	b33c269642bf42b8c71988b9ddbe298e00b65ef1	SHA1 of 3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655	2020-06-26
FileHash-SHA1	ecd85fe374fe85ff8dc1316cf700cba715e8b89b	SHA1 of a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be	2020-06-26
FileHash-SHA1	f2c7f4d0c5dd576a421f521671c68ff9aac8288d	SHA1 of 98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1	2020-06-26
FileHash-SHA1	c897972dfd26a07591cabbeeeeeb1db18f2f21d4	SHA1 of 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7	2020-06-26
FileHash-SHA1	c27ae6b8ba9ccbd6629803974d23355c7fb07bd5	SHA1 of bee06d785b7e51a0127a96c5854d4345	2020-07-14
FileHash-SHA1	8d11d9aa891c378322eaaa25e8afa3ce9edf2259	SHA1 of 61eed90b1ae70244cd87a3abd3ec622a	2020-07-14
FileHash-SHA1	ecc74b845278696e41220ea1972e31119a5d0869	SHA1 of 26e71f1d387298162c1b19e858d001a1	2020-07-14
FileHash-SHA1	a1bb73f6581ab51457eb7160be8ee4fb18916153	SHA1 of 490d17a5b016f3abc14cc57f955b49b3	2020-07-14
FileHash-SHA1	513bb7d2766addfdd376b359ddb15997b0e8a7fd	SHA1 of 27d448f9d2bed761e15541c55b5966f2	2020-07-14

References (4)

↗ https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf ↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/#_Toc45185607 ↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/ ↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/