S0493 GoldenSpy
GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the “Intelligent Tax” software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.1
| Item | Value |
|---|---|
| ID | S0493 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 23 July 2020 |
| Last Modified | 19 August 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | GoldenSpy can execute remote commands via the command-line interface.1 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | GoldenSpy can create new users on an infected system.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | GoldenSpy has established persistence by running in the background as an autostart service.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.1 |
| enterprise | T1083 | File and Directory Discovery | GoldenSpy has included a program “ExeProtector”, which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | GoldenSpy‘s uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.2 |
| enterprise | T1105 | Ingress Tool Transfer | GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | GoldenSpy‘s setup file installs initial executables under the folder %WinDir%\System32\PluginManager.1 |
| enterprise | T1106 | Native API | GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.1 |
| enterprise | T1571 | Non-Standard Port | GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.1 |
| enterprise | T1027 | Obfuscated Files or Information | GoldenSpy‘s uninstaller has base64-encoded its variables. 2 |
| enterprise | T1195 | Supply Chain Compromise | - |
| enterprise | T1195.002 | Compromise Software Supply Chain | GoldenSpy has been packaged with a legitimate tax preparation software.1 |
| enterprise | T1082 | System Information Discovery | GoldenSpy has gathered operating system information.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | GoldenSpy‘s installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.1 |