Trend Micro Research, along with researchers from IssueMakersLab, recently discovered a supply chain attack targeting South Korean organizations, named Operation Red Signature. The attack was targeted to specific IP ranges of certain organizations within South Korea. Malicious updates delivered popular remote access tool, 9002 RAT, to target companies. Once inside the network, attackers were looking to steal user credentials, as well as data from web servers and databases. 

Figure 1. Operation Red Signature’s attack chain

Here’s how Operation Red Signature works:

  1. The code-signing certificate from the remote support solutions provider is stolen. It’s possible that the certificate was stolen as early as April 2018, as we found a ShiftDoor malware (4ae4aed210f2b4f75bdb855f6a5c11e625d56de2) on April 8 that was signed with the stolen certificate.
  2. Malicious update files are prepared, signed with the stolen certificate, and uploaded to the attacker’s server (207[.]148[.]94[.]157).
  3. The update server of the company is hacked.
  4. The update server is configured to receive an update.zip file from the attackers’ server if a client is connecting from a specific range of IP addresses belonging to their targeted organizations.
  5. The malicious update.zip file is sent to the client when the remote support program is executed.
  6. The remote support program recognizes the update files as normal and executes the 9002 RAT malware inside it.
  7. 9002 RAT downloads and executes additional malicious files from the attackers’ server.

The full breaking story is available here:

https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/ 

Source: Trend Micro

About Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Its innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. All its products work together to seamlessly share threat intelligence and provide a connected threat defense with centralized visibility and control, enabling better, faster protection. With over 6,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro secures your connected world.