Breaking News: Supply Chain Attack Operation Red Signature Targets South Korean Organizations

Trend Micro Research, along with researchers from IssueMakersLab, recently discovered a supply chain attack targeting South Korean organizations, named Operation Red Signature. The attack was targeted to specific IP ranges of certain organizations within South Korea. Malicious updates delivered popular remote access tool, 9002 RAT, to target companies. Once inside the network, attackers were looking to steal user credentials, as well as data from web servers and databases. 

Figure 1. Operation Red Signature’s attack chain

Here’s how Operation Red Signature works:

  1. The code-signing certificate from the remote support solutions provider is stolen. It’s possible that the certificate was stolen as early as April 2018, as we found a ShiftDoor malware (4ae4aed210f2b4f75bdb855f6a5c11e625d56de2) on April 8 that was signed with the stolen certificate.
  2. Malicious update files are prepared, signed with the stolen certificate, and uploaded to the attacker’s server (207[.]148[.]94[.]157).
  3. The update server of the company is hacked.
  4. The update server is configured to receive an file from the attackers’ server if a client is connecting from a specific range of IP addresses belonging to their targeted organizations.
  5. The malicious file is sent to the client when the remote support program is executed.
  6. The remote support program recognizes the update files as normal and executes the 9002 RAT malware inside it.
  7. 9002 RAT downloads and executes additional malicious files from the attackers’ server.

The full breaking story is available here: 

Source: Trend Micro

About Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Its innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. All its products work together to seamlessly share threat intelligence and provide a connected threat defense with centralized visibility and control, enabling better, faster protection. With over 6,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro secures your connected world.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase