Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

GoldenSpy Chapter 3: New and Improved Uninstaller

Background:

  • On June 25th, Trustwave SpiderLabs published our research on a backdoor, dubbed GoldenSpy, that was hidden in required Chinese tax software. See the details here.
  • On June 30th, we published an analysis of a new binary that the tax software is deployed and executed to delete and remove all traces that GoldenSpy existed. We also provided a YARA rule to proactively identify the uninstaller. See the details here.
  • This blog shows our analysis of a new binary, now being distributed by Intelligent Tax software, that is identical in operations to the original GoldenSpy Uninstallers, but specifically designed to evade detection by the YARA rule provided in our blog.

There is a constant battle between cyber adversaries and the security community, happening every minute of every day. Offensive operations and defensive countermeasures are constantly being launched back and forth, often to the massive detriment to the victim of a successful attack. But defenders are constantly monitoring for new offensive techniques and countering with innovative defensive measures to detect, disrupt, and deter the cyber-attacks. I have tremendous respect for both sides of this battle as each new strike shows creativity, innovation, and intelligence. However, rarely in my career have I ever witnessed such a clear demonstration of the back and forth than the GoldenSpy campaign that SpiderLabs has been reporting on.

To be fair, SpiderLabs does not know if this backdoor would have been used for malicious purposes or if the uninstall operation is anything more than an attempted clean-up by the company. The secretive nature of the clean-up and the remaining risk of the tax software being able to arbitrarily execute any code it likes is undeniable, but we are not claiming confirmed malicious intent. Just stating the facts.

The back and forth went like this: they planted a secret backdoor in the tax software, we identified it and published our research. They then secretly deployed a new binary to remove any trace that the backdoor ever existed, we reported on that as well and provided a method to detect it. Within hours, they responded with a new version that evades our detection method. Now, we report the new binary and provide an updated detection method. It's a real soap opera.

This is a true example of the cat and mouse game between cyber adversaries and the security community, the Intelligent Tax software now deploys and executes a third version of the GoldenSpy uninstaller. Based on our analysis, the new version conducts identical operations to delete all traces of GoldenSpy, but this one is specifically designed to evade the YARA rule we provided in our GoldenSpy Chapter 2 The Uninstaller blog. Our rule was based on identifying specific encoded and plain-text variables existing in both versions of the GoldenSpy, this new version alters its use of base64 encoding so that it will not be detected by our original YARA rule. This is the only difference in the new version.

The new executable was compiled on 1 July 2020 at 15:52:46 GMT. It is called AWX.exe, as was the original. We are providing the new YARA rule below, which will identify all variants of the GoldenSpy uninstaller. (At least all that we know of now, who knows what tomorrow will bring…) We appreciate the patronage of our blog by the GoldenSpy developers. Please stay tuned for future posts.

Binary Details:

File Name   : AWX.EXE

SHA256 : 10E8C9ADE8687CFB2BADB23C90E8F025C2B2E35D0934D287E19C2B14746395C2

MD5    : 573ADB1569A08472094F0CFBB6264360

CRC32  : 739DA9B2

Format      : Portable executable for 80386 (PE)

Timestamp   : 5EFCB14E (Wed Jul 01 15:52:46 2020)

PDB File Name : D:\日常工作\客户端软件\VCProject\dgs\Release\AWX.pdb

OS type         :  MS Windows

Application type:  Executable 32bit

GoldenSpy Uninstaller YARA rule – Version 2

rule Goldenspy_Uninstaller_v2
{
meta:
    author = "SpiderLabs"
    malware_family = "GoldenSpy"
    filetype =  "exe_dll"
    version = "3.0"
    
strings:

    $str1 = "taskkill /IM svm.exe /IM svmm.exe /F" ascii    
    $str2 = "\\svm.exe -stopProtect" ascii                                
    $str3 = "\\svmm.exe -u" ascii                                                    
    $str4 = "\\VCProject\\dgs\\Release\\" ascii                
    $str5 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\svm" ascii
    $str6 = "\\svmm.exe -stopProtect" ascii
    $str7 = "\\svm.exe -u" ascii
    $str8 = "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\svm.exe" ascii
    $str9 = "dGFza2tpbGwgL0lNIHN2bS5leGUgL0lNIHN2bW0uZXhlIC9GIA" ascii
    $str10 = "c3ZtLmV4ZSAtc3RvcFByb3RlY3Q" ascii
    $str11 = "XHN2bW0uZXhlIC11" ascii
    $str12 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXHN2bQ" ascii
    $str13 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cQXBwIFBhdGhzXHN2bS5leGU" ascii
    $str14 = "XHN2bS5leGUgLXU" ascii
    $str15 = "c3ZtbS5leGUgLXN0b3BQcm90ZWN0" ascii


condition:    

    (uint16(0) == 0x5A4D) and 4 of ($str*) 
    
}

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More