Member-only story
“GoldenHelper” was discovered on July 14, 2020 embedded in Golden Tax Invoicing Software, an invoice issuing software used by Chinese banks. This malware variant seems to have been active between January 2018 and July 2019.
The following details were obtained from initial static analysis:
- File-type: dynamic-link-library (.dll)
CPU: 64-bit
Subsystem: GUI
Compiler-stamp: 0x5AB052C9 (Mon Mar 19 17:16:09 2018)
Debugger-stamp: 0x5AB052C9 (Mon Mar 19 17:16:09 2018)
File-size: 126464 (bytes) - Hashes:
md5: 490D17A5B016F3ABC14CC57F955B49B3
sha1: A1BB73F6581AB51457EB7160BE8EE4FB18916153
sha256:A1AA0684813CFE9D7ED5C491C8AB132E5583B4FD02187FDAE8AA4D934D933F29 - File path: F:\DLL\dll-client-0309\x64\Release\SvcDll.pdb
Embedded Strings.
PE Studio identified ~1870 strings, the following have been highlighted:
- The following appear to be files that will be loaded during runtime
http://%s/app/taxver[.]jpg
http://%s/app/tps32[.]gif
http://%s/data/msabs[.]dat
http://%s/data/msabb[.]rar
http://%s/data/tax32[.]zip
http://%s/data/taxver[.]jpg
%s\system32\taxver[.]exe
%s\debug\wia\taxver[.]exe
%s\temp\taxver[.]exe
%s\taxver[.]exe - The following are domains found in the sample:
help[.]tax-assistant[.]com
help[.]tax-assistant[.]info
info[.]tax-assistant[.]com
info[.]tax-assistant[.]info
bbs[.]tax-helper[.]info
download[.]tax-helper[.]com
tools[.]tax-helper[.]info
update[.]tax-helper[.]com
info[.]tax-helper[.]ltd
tip[.]tax-helper[.]ltd
update[.]tax-helper[.]ltd
The URLs are all part of five (5) domains:
- tax-helper[.]com
- tax-assistant[.]info
- tax-helper[.]ltd
- tax-assistant[.]com
- tax-helper[.]info
See Bluecoat categorisation for the URLs below
