GoldenSpy
GoldenSpy is a newly identified malware family that has so far been found on the networks of two companies operating out of the United Kingdom – one of them is involved in the finance field, while the other one is in the software/technology sector. It is very interesting how the GoldenSpy malware got to the compromised systems – apparently, it was delivered alongside a taxation software that a Chinese bank asked the victims to use. It is not clear if the bank was aware of the malware implant in their tax software or if they were unaware of its existence.
The GoldenSpy malware operates like a backdoor Trojan that allows attackers to execute remote commands, as well as to run additional files on the infected computer. The implant also supports a wide range of other features that are typical for threatening applications:
- It gains persistence by creating two copies of the payload and then creates two separate services that are meant to start the implant whenever Windows boots up. If one of the malware's copies is deleted for some reason, the other one will download a new copy.
- Once the threatening tax software is inside the targeted machine, it will proceed to install GoldenSpy no earlier than two hours after the initial installation was completed. The installation of the additional modules is hidden, and victims will not be notified about this activity.
- Removing the original software does not tamper with GoldenSpy's files – they will continue to work even if the tax software is removed.
- GoldenSpy gains administrator permissions that give it complete reign over the infected host.
Attacks like the one where GoldenSpy is involved are threatening exceptionally because victims are unlikely to expect a malware attack originating from a trustworthy company they work with.
The GoldenSpy implant is very sophisticated, and the same can be said about the method used to deliver it to potential victims – this shows that a high-profile threat actor is behind this operation, and it is likely that the two UK companies will not be the only ones to be targeted by GoldenSpy.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.