GoldenSpy Chapter 5 : Multiple GoldenSpy Uninstaller Variants Discovered

Summary:

Trustwave identified a significant malicious campaign on mandatory tax invoice software, which is required to conduct business in China. The campaign, we dubbed GoldenSpy, is an embedded backdoor in the software package, which allows full remote command and control of the victim’s system via arbitrary code execution.

After GoldenSpy was made public, those behind the backdoor quickly scrambled to push an uninstaller to erase GoldenSpy from infected systems. The uninstaller was dropped from an updater module, cleaned GoldenSpy and finally deleted itself leaving no traces. Another uninstaller was issued right afterwards specifically designed to evade our YARA rules we published to help infected. 

Understanding the attackers were watching our every move to help organizations impacted by GoldenSpy, we waited a period-of-time and quietly kept tracking with our threat hunting strategy. What we found is that they are continuing to push new GoldenSpy uninstallers – so far we have discovered five variants totaling 24 uninstaller files.   

We observed some of the uninstallers were uploaded to public repositories causing the detection ratios to increase. Some of the uninstallers not found in any public repo’s, however, we will report all of them here.

Analysis:

All the variants conducted the exact same behavior, but utilized different execution flow, string obfuscation, and size to evade detection by security technologies. Detailed analysis of the behavior is available in GoldenSpy Chapter 2.

• Stop the svm, svmm services
• Stop the svm,svmm process
• Uninstall the svm,svmm modules
• Remove the SVM installed folder including logs
• Remove the uninstaller (Self-delete)
• Specifically checks for process ‘ZhuDongFangYu.exe,’ which is a China-based antivirus ‘Qihoo 360’ active defense module

Execution flow :

Traffic Flow:

From variant 3, after the GoldenSpy uninstaller clears its traces and before it self-delete, it will send a unique ID to ningzhidata[.]com to track the activity.

Who is behind the GoldenSpy uninstaller development?

During reverse engineering a file from variant 5, We have observed the IP 39[.]98[.]110[.]234 was used for 3^rd stage beacon as mentioned above, and as per the traffic, it does the same.

We checked the above IP, It resolves to ‘Ningbo Digital Technology Co., Ltd’ hxxp[://]www[.]nbdigit[.]com/

As stated in the description below, they provide professional software solutions and technical support.

From the active website, they are providing two files to download, The ‘QdfTools’ name is not relevant as it is actually the ‘GoldenSpy Uninstaller,’ and ‘iclient’ is a ‘GoldenSpy’ dropper, which we identified as svminstaller in the GoldenSpy technical report.

hxxp[://]www[.]nbdigit[.]com/download/QdfTools[.]exe

hxxp[://]www[.]nbdigit [.]com/download/iclient[.]exe

From variant 5, The GoldenSpy uninstaller got downloaded with name ‘QdfTools.exe’ from 222[.]186[.]130[.]200:9006, They gave the product description for the uninstaller as ‘Enterprise service environment detection and cleaning software.’

Based on these findings, we can say that Ningbo Digital Technology Co., Ltd is involved with the development of the ‘GoldenSpy Uninstaller’ and ningzhidata[.]com serving from CDN servers.

Our GoldenSpy YARA rule successfully detected the ‘iclient.exe.’

Traffic comparisons:

GoldenSpy Uninstaller Variant’s Indicators of compromise:

Binaries:

Network:

ATT&CK Mappings:

YARA:

rule Goldenspy_Uninstaller

{

meta:

            author = "SpiderLabs"

            malware_family = "GoldenSpy"

            filetype =  "exe_dll"

            version = "4.0"

strings:

            $str1 = "taskkill /IM svm.exe /IM svmm.exe /F" ascii          

            $str2 = "\\svm.exe -stopProtect" ascii                                                                        

            $str3 = "\\svmm.exe -u" ascii                                                                                     

            $str4 = "\\VCProject\\dgs\\Release\\" ascii                                        

            $str5 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\svm" ascii

            $str6 = "\\svmm.exe -stopProtect" ascii

            $str7 = "\\svm.exe -u" ascii

            $str8 = "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\svm.exe" ascii

            $str9 = "dGFza2tpbGwgL0lNIHN2bS5leGUgL0lNIHN2bW0uZXhlIC9GIA" ascii

            $str10 = "c3ZtLmV4ZSAtc3RvcFByb3RlY3Q" ascii

            $str11 = "XHN2bW0uZXhlIC11" ascii

            $str12 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXHN2bQ" ascii

            $str13 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cQXBwIFBhdGhzXHN2bS5leGU" ascii

            $str14 = "XHN2bS5leGUgLXU" ascii

            $str15 = "c3ZtbS5leGUgLXN0b3BQcm90ZWN0" ascii

            $str16 = {4951538BCEE8[0-10]8D4C2424[0-10]8D44243C[0-4]68[0-20]83C4088B5004C644247404}

            $str17 = {535556578D4C2414[0-10]8D44242C68[0-10]50C744247C[0-10]83C4088B7004C64424[0-50]8BFE83C9FF33C0}

condition:       

            (uint16(0) == 0x5A4D) and 4 of ($str*)

}

This research depicting regular improvements of the GoldenSpy uninstaller should serve as a wakeup call for organizations because it proves any actions including implanting and extracting malware can be taken covertly and at the will of the attacker with the help of the updater module without impacting the functionality of the Golden Tax software.

Trustwave strongly recommends following best software practices when comes to 3^rd party software installations. No matter where an organization operates, extra vigilance needs to be taken when adopting mandatory software (or any 3^rd party software) in order to conduct business. GoldenSpy and what we have seen in terms of its continuous activities is a prime example.