Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент GoldenSpy
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
GoldenSpy
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

GoldenSpy

GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020)
ID: S0493
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 23 Jul 2020
Last Modified: 19 Aug 2020

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.(Citation: Trustwave GoldenSpy June 2020)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

GoldenSpy can execute remote commands via the command-line interface.(Citation: Trustwave GoldenSpy June 2020)

Enterprise T1136 .001 Create Account: Local Account

GoldenSpy can create new users on an infected system.(Citation: Trustwave GoldenSpy June 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

GoldenSpy has established persistence by running in the background as an autostart service.(Citation: Trustwave GoldenSpy June 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.(Citation: Trustwave GoldenSpy2 June 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

GoldenSpy's setup file installs initial executables under the folder %WinDir%\System32\PluginManager.(Citation: Trustwave GoldenSpy June 2020)

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

GoldenSpy has been packaged with a legitimate tax preparation software.(Citation: Trustwave GoldenSpy June 2020)
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

GoldenSpy's installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.(Citation: Trustwave GoldenSpy June 2020)

References

  1. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  2. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.