Skip to content

S0493 GoldenSpy

GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the “Intelligent Tax” software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.1

Item Value
ID S0493
Associated Names
Version 1.0
Created 23 July 2020
Last Modified 19 August 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell GoldenSpy can execute remote commands via the command-line interface.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account GoldenSpy can create new users on an infected system.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service GoldenSpy has established persistence by running in the background as an autostart service.1
enterprise T1041 Exfiltration Over C2 Channel GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.1
enterprise T1083 File and Directory Discovery GoldenSpy has included a program “ExeProtector”, which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion GoldenSpy‘s uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.2
enterprise T1105 Ingress Tool Transfer GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location GoldenSpy‘s setup file installs initial executables under the folder %WinDir%\System32\PluginManager.1
enterprise T1106 Native API GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.1
enterprise T1571 Non-Standard Port GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.1
enterprise T1027 Obfuscated Files or Information GoldenSpy‘s uninstaller has base64-encoded its variables. 2
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain GoldenSpy has been packaged with a legitimate tax preparation software.1
enterprise T1082 System Information Discovery GoldenSpy has gathered operating system information.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion GoldenSpy‘s installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.1