GoldenHelper

In June 2020, antivirus product vendors reported a new malware family known as GoldenSpy. The newly identified threat was distributed by using a very interesting delivery method – it was planted in legitimate tax software offered by a China-based bank. Often, foreign companies co-operating with the China organization in question were asked to install the tax software, therefore unknowingly planting the GoldenSpy backdoor on their networks.

Surprisingly, the second piece of malware was found in tax software originating from China – the new threat, dubbed GoldenHelper, is very different when compared to the GoldenSpy implant. However, it uses an almost identical propagation method, and it seems to have been active before the GoldenSpy malware was identified – the first samples of GoldenHelper date back to 2018. The GoldenHelper implant was first found in the 'Golden Tax Invoicing Software.'

It is still not clear whether the malicious GoldenHelper and GoldenSpy implants were embedded in the tax software on purpose – however, it seems that the name of the company Aisino Corporation was involved in both cases. Aisino is associated with the NouNou Technologies company, whose certificate was use to sign the tax software carrying GoldenHelper. Aisino Technologies was also linked to the 'Intelligent Tax' software that was used to deliver the GoldenSpy implant.

The creators of the GoldenHelper seem to have focused on making their implant as stealthy and as evasive as possible. To achieve this, they rely on randomly generated names for the threat's components, a User Account Control (UAC) bypass exploit, and a Domain Generation Algorithm (DGA) to hide its connections to the control server.