The new malware is entirely different from GoldenSpy, although the delivery modus operandi is highly similar. We named this family GoldenHelper, based on its association with the Chinese National Golden Tax project and one of the primary Command and Control domains: help.tax-helper.ltd.
Although called "Baiwang Edition", GoldenHelper was digitally signed by NouNou Technologies, a subsidiary of Aisino Corporation, the same company responsible for the Intelligent Tax Software with embedded GoldenSpy malware.
GoldenHelper malware utilizes sophisticated techniques to hide its delivery, presence, and activity. Some of the interesting techniques GoldenHelper uses include randomization of name whilst in transit, randomization of file system location, timestomping, IP-based DGA (Domain Generation Algorithm), UAC bypass and privilege escalation.
Our current telemetry shows that GoldenHelper is designed to drop a final payload, called taxver.exe. Trustwave SpiderLabs has not yet been able to obtain a copy of this file and is requesting assistance from our readers to contact us at goldenspy@trustwave.com if they have information on this file or a sample for us to analyze.
Read Full report @Here
No comments:
Post a Comment