Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Executive Summary

A Recorded Future client provided information to Insikt Group relating to a potential security incident triggered by a software application called “Beijing One Pass”. This Chinese government-backed application enables access to state benefits information and was downloaded by employees of the Recorded Future client after they were informed that paper copies of the information would no longer be available.

Insikt Group independently verified that the installed application exhibits characteristics consistent with potentially unwanted applications (PUA) and spyware. The software is associated with the Beijing Certificate Authority (北京数字认证股份有限公司), which is a Chinese state-owned enterprise (BJCA, www.bjca[.]cn). 

Some notable suspicious behaviors relate to several dropped files and subsequent processes initiated from the primary application. These behaviors include a persistence mechanism, the collection of user data such as screenshots and keystrokes, a backdoor functionality, and other behaviors commonly associated with malicious tools, such as disabling security and backup-related services.

We cannot confirm the intent behind Beijing One Pass’s containing spyware-like capabilities; however, the presence of software with similar spyware-like functionality, developed by at least one other Chinese region, the Shaanxi CA, is notable. These capabilities could be evidence of a deliberate attempt to gain access to devices (such as in support of China’s Cybersecurity Law that allows security organizations to inspect corporate networks remotely), the result of lax security practices by the certificate authorities (CA) and developers, or features designed to comply with Chinese laws and regulations.

Whatever the motive, installing such software on devices that have access to sensitive data is not advised. Recorded Future recommends that companies with China-based employees who need access to state benefit information using “One Pass” software not use it on devices with access to sensitive corporate data.

Analysis

During preliminary analysis, Insikt Group found that the “Beijing One Pass” PC client exhibits behaviors similar to spyware applications. The software contains built-in functionality that, taken in aggregation, raise considerable suspicions about the implication of its data collection capabilities:

• Ability to autorun at Windows startup to ensure persistence
• Checking periodically for human interaction with the operating system as the file is run
• Attempting to read, create, or modify system registry ROOT certificates
• Disabling security and backup services on the host device
• Allowlisting domains for ActiveX use, which potentially allows it to connect to additional internet resources
• Reading data from the clipboard
• Recording screenshots
• Capturing and retrieving keystrokes

There is also some indication that the file contains backdoor functionality to open a port and listen for incoming connections. This functionality is present in a driver that accompanies the CertAppEnv installation called “wmControl.exe”. We also observed anti-analysis capability within the application, which is typically associated with malware.

Based on data provided by the Recorded Future client, the “Beijing One Pass” application requires the installation of the “Certificate Application Environment” software. This software appears to be developed by the Chinese state-owned enterprise Beijing Certificate Authority (北京数字认证股份有限公司). Upon installation of the One Pass PC client, the subsequent process tree that is spawned is detailed in Figure 1 and was investigated further by Insikt Group analysts.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.