Breaking News: Supply Chain Attack Operation Red Signature Targets South Korean Organizations

Trend Micro Research, along with researchers from IssueMakersLab, recently discovered a supply chain attack targeting South Korean organizations, named Operation Red Signature. The attack was targeted to specific IP ranges of certain organizations within South Korea. Malicious updates delivered popular remote access tool, 9002 RAT, to target companies. Once inside the network, attackers were looking to steal user credentials, as well as data from web servers and databases. Breaking News: Supply Chain Attack Operation Red Signature Targets South Korean Organizations

Figure 1. Operation Red Signature’s attack chain

Here’s how Operation Red Signature works:

  1. The code-signing certificate from the remote support solutions provider is stolen. It’s possible that the certificate was stolen as early as April 2018, as we found a ShiftDoor malware (4ae4aed210f2b4f75bdb855f6a5c11e625d56de2) on April 8 that was signed with the stolen certificate.
  2. Malicious update files are prepared, signed with the stolen certificate, and uploaded to the attacker’s server (207[.]148[.]94[.]157).
  3. The update server of the company is hacked.
  4. The update server is configured to receive an update.zip file from the attackers’ server if a client is connecting from a specific range of IP addresses belonging to their targeted organizations.
  5. The malicious update.zip file is sent to the client when the remote support program is executed.
  6. The remote support program recognizes the update files as normal and executes the 9002 RAT malware inside it.
  7. 9002 RAT downloads and executes additional malicious files from the attackers’ server.

The full breaking story is available here:

https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/ 

Source: Trend Micro

About Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Its innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. All its products work together to seamlessly share threat intelligence and provide a connected threat defense with centralized visibility and control, enabling better, faster protection. With over 6,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro secures your connected world.

Subscribe to Cyber Defense Magazine

Join our mailing list, no strings attached. We never sell your data. We'll send you monthly e-magazines, webinar invites from us and our partners, cybersecurity trade show updates, awards, infosec news, cybersecurity tips and so much more on all things cyber defense.
Subscribe

Related News

Control the Uncontrollable, The Path to Supply Chain Security
August 21, 2018

CyberDefenseMagazine Follow 24,016 54,487

Cyber Defense Magazine - The Premier Source for IT Security and Compliance Information. https://t.co/748STKH6k0.

cyberdefensemag

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

Show Me!
X