German BKA and FBI warns of China espionage by GoldenSpy

[German]The German Federal Criminal Police Office (BKA) and the FBI has already published a warning about Chinese spyware activities against German and other foreign  companies that maintain business relations in China.


Advertising

The topic is not entirely new – I had already reported on the facts in June 2020 in the blog post China and the spyware in software products. At the end of the year and in view of the SolarWinds SOLARBURST espionage campaign, which mainly hit the USA, I brought the topic out again after a reader's tip.

Warning already in August 2020

The facts at the time: in early 2020, a multinational technology provider doing business in China was ordered by its Chinese bank to install software to pay local taxes. The tax software itself was legitimate, but embedded within it was a nasty surprise. A new report from a private security firm reveals that the software was infected. Built into the program was a sophisticated piece of malware that gave attackers complete access to the company's netw

Trustwave, the firm that uncovered the case, named the malicious software "GoldenSpy" and warns others to scan their networks for it in a report released Thursday. "If you have business in China and if someone asks you to install something, we urge extra vigilance," Hussey said. "We urge everyone to check to see if they have been affected."

While Trustwave did not provide details about the customer or the case. The malware appears to have been active since April 2020, and state actors from China are believed to have a hand in it. More details can be found in this article

BKA and FBI warning about GoldenSpy

German blog reader Robert G. emailed me today to point out a warning from the German Federal Criminal Police Office (BKA) that addresses the exact issue of GoldenSpy (thanks for that). Robert works in a company and asks if anyone has experience with the issue. In this message from August 2020, the BKA warns in general:


Advertising

The cyber defense of the Federal Office for the Protection of the Constitution (BfV) as well as the Federal Criminal Police Office (BKA) have knowledge that German companies based in China may be spied on using the malware GOLDENSPY. The aim of this joint alert is to sensitize German commercial enterprises and provide them with the necessary technical information to detect a possible infection.

The BKA does not refer to any specific case in the warning, but refers to tips from 'security companies' as well as a warning from the FBI (from June 2020) about possible GoldenSpy infections. The facts of the case are already outlined above:

Foreign companies that are active in China are required to install tax software in order to automatically and software-supportedly tax duties to the responsible tax office as well as to process financial transactions. This is supposed to be the legitimate Chinese tax software INTELLIGENT TAX (also called GOLDENTAX). However, by installing this legitimate software, a spyware called GOLDENSPY is supposed to be reloaded, through which third parties gain access to the networks of the affected companies.

German Intelligence servide (BfV) and BKA has compiled the known technical parameters and added their own findings. These are made available with this warning message for the protection of German commercial enterprises. Here is an excerpt: 

According to the findings of IT service providers, the additional file plugins.exe can be executed after the legitimate control software has been run, and thus the GOLDENSPY software can be reloaded and installed in the affected system automatically and without notifying the user after approximately two hours. This could give third parties full access rights, including administrator rights.

The installation of GOLDENSPY causes another file named svminstaller.exe to be reloaded, which installs two identical .exe files named svm.exe and svmm.exe in the system of the affected victims (these are two identical versions of GOLDENSPY), which are transferred from the domain ningzhidata[.]com. The two files have the following backdoor capabilities:

  • Both files are installed as autostart services, which – should one of the two services be terminated – restart each other. If one of the two files is deleted, a new version is reloaded and executed, which makes the removal of the malware from an infected system more difficult due to the additional use of administrator privileges.
  • The uninstall feature of INTELLIGENT TAX software does not uninstall GOLDENSPY.
  • GOLDENSPY is not downloaded and installed until approximately two hours after the installation of the tax software is complete, without notification on the victim's system. After execution, the software contacts a server that does not belong to the official control software.
  • After the first attempts to contact the C2 server, the beacon times are set randomly, which makes it difficult to identify it as typical beaconing malware.

GoldenSpy was automatically uninstalled

The BKA writes that shortly after the incidents and the GOLDENSPY malware became known, another tool (according to my reading by Schina) was delivered to affected companies, whereby GOLDENSPY is completely removed from the victim system by means of the AWX.exe file. The functionality includes deleting registry entries as well as LogFiles. After successful cleanup, the tool also removes itself from the affected system.

Since several IT security solutions already recognize AWX.exe as malicious, a more advanced version (BWXT.exe) has been put into circulation. The functionalities already described have been retained.

Recommendations for action

In the document, the BKA provides specific recommendations for action on how companies should deal with the problem. These include orientation to the publicly available standards recommended, such as the BSI-Grundschutz guidelines or the tried-and-tested CIS Controls of the Center for Internet Security.

  • When using software or systems that must be used to comply with legal requirements in other countries, it is recommended not to integrate them into the domain, but to operate them separately – as far as possible – from critical corporate networks.
  • Only the data required to meet legal requirements should be processed on these systems.
  • Data that is no longer required should be regularly deleted from these systems.
  • Access data used should be used exclusively and not reused elsewhere.

It is recommended to check one's own systems with the IOCs and detection signatures provided. In particular, log files and active network connections should be searched for connections to the external systems mentioned in the IOCs section. In addition, Windows event logs should be searched for the creation of services named svm or svmm.

If there is evidence of infection or suspicious system behavior, the proven incident response plans should be executed to detect, contain, and effectively counter the extent of any compromise. Systems that had suspicious software installed should be rebooted even in the absence of evidence of active infection, following the recommendations outlined in the Prevention section. Further details and technical indicators can be found in the BKA and FBI document.


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).