GoldenBall — GoldenSpy V2.0 – Dinesh’s Perspective

Trustwave researchers recently identified backdoor in Golden Tax Software “Aisino”. There is another Golden Tax software “Baiwang” which also delivers malicious payloads.

Golden Tax Invoicing System (金税开票系统)

There are two official providers of Invoicing Systems in China for the government: Aisino (航天) and Baiwang (百望). All businesses must issue VAT invoices through the Golden Tax system.

Baiwang

In Jan 2019, files uploaded to VirusTotal from China linked to Golden Tax invoice software Baiwang 26e71f1d387298162c1b19e858d001a1(wmiasssrv.dll), 490d17a5b016f3abc14cc57f955b49b3(msorvs571.dat)

Analysis

I tried to extract the samples and analyse. File doesn’t execute in Sandbox Environment. Below are the notable imports of the files.

Network connection:

By Analysing the codes, It seems that the malware generates the connecting URL in runtime and downloads subsequent payloads.

VirusTotal search for the filename “taxver.jpg” resulted only one HTML file. The HTML file is downloaded from domain help[.]tax-helper[.]ltd. So there is a high chance that this is the dynamically calculated domain.

Tried to pivot the Domain to check related hashes from RiskIQ.

Resulted in 4 other hashes:

0ed0ef98f8dc1b8d1b833183d39d3d8c

5e378316e852bef1bdd892d39c0c1ef1

590a9da3e5a67b8ca9f823f39021f5e8

7a7ef986808ebb7781f5d64da9d7900c

Connecting the dots

All the 4 hashes were DLL files with same Imphash. Moreover the code genes has some match with FireBall Malware.

In June 2017, Checkpoint uncovered Fireball operation run by Chinese digital marketing agency. The Fireball malware acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.

IoCs