GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)

GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	1
GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	1
GoldenSpy - S0493 (b9704a7d-feef-4af9-8898-5280f1686326)	Malware	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	2