The US Federal Bureau of Investigation has sent an alert on Thursday warning US companies about backdoor malware that is silently being installed on the networks of foreign companies operating in China via government-mandated tax software.
The backdoors allow threat actors to execute unauthorized code, infiltrate networks, and steal proprietary data from branches operating in China.
Making matters worse, the FBI says that all foreign companies are required by local Chinese laws to install this particular piece of software in order to handle value-added tax (VAT) payments to the Chinese tax authority.
FBI officials said the backdoor malware was spotted in the VAT software of two Chinese tech companies — namely Baiwang and Aisino.
Unfortunately, these are the only government-authorized tax software service providers allowed to operate VAT software in China, officials said, suggesting that any foreign company operating in China was most likely affected by this issue.
FBI alert linked to GoldenHelper and GoldenSpy reports
The FBI alert also listed two separate incidents where the infected companies have discovered the malware’s presence on their networks.
“In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from baiwang.com. Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program. In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company’s network,” the FBI said — describing what later security firm Trustwave identified as the GoldenHelper malware.
“In June 2020, a private cybersecurity firm reported that Intelligence Tax, a tax software from Aisino Corporation that is required by a Chinese bank under the same VAT system, likely contained malware that installed a hidden backdoor to the networks of organizations using the tax software,” the FBI also said — describing what Trustwave identified as the GoldenSpy backdoor, believed to be a second and improved iteration of the original GoldenHelper malware.
The FBI warns US companies that the backdoor malware installed on their systems has dangerous capabilities that may allow “cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network.”
FBI officials said they believed US companies in the healthcare, chemical, and finance sectors operating in China are in particular danger, based on China’s historical interest in these sectors.
Currently, the FBI Flash Alert AC-000129-TT is being distributed to companies in the aforementioned sectors so they can investigate further.
Indicators of compromises, such as malware file hashes and network communication URLs, that may help companies identify the presence of any of the two backdoor versions are available in Trustwave’s GoldenHelper and GoldenSpy reports.
While the FBI alert didn’t point the finger at the Chinese government directly, the alert said that both Baiwang and Aisino operate their VAT software under the management and oversight of NISEC (National Information Security Engineering Center), a state-owned private enterprise, with “foundational links” to China’s People Liberation Army, suggesting to a well-orchestrated nation-state intelligence gathering operation.