Organizations doing business in China have been warned that official looking software mandated for download by domestic banks may actually contain backdoor malware.
THREAT
Baiwang and Aisino are the only government-authorized tax software service providers to operate the Chinese value added tax (VAT) system. The use of either software provider is required by the China Tax Bureau in order for US companies to operate within China’s market. Both companies operate the VAT system under the management and oversight of state-owned enterprise the National Information Security Engineering Center (NISEC). The NISEC has foundational links to the 3PLA.
In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from baiwang.com. Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program.
In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company’s network. In June 2020, a private cybersecurity firm reported that Intelligence Tax, a tax software from Aisino Corporation that is required by a Chinese bank under the same VAT system, likely contained malware that installed a hidden backdoor to the networks of organizations using the tax software. The malware, named GoldenSpy, was designed to provide cyberactors with unfettered access to victim networks and is believed to have been around since 2016. It is unclear how many organizations may have been compromised
ON-GOING THREAT
“Basically, it was a wide-open door into the network with system-level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure.”
That same company digitally signs GoldenSpy using text, “certified software version upgrade service,” designed to legitimize the malware.
Every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment and remediation countermeasures.
NEXT STEPS
If you suspect you have any cyber threats, let us help you.
US Service Center will help with discovering and eliminating all your cybersecurity threats. Call us today.