Operation Red Signature – South Korean Firms victims of a supply chain attack

Supply Chain Attack Hits South Korean Firms

Security researchers from Trend Micro have uncovered a supply chain attack, tracked as Operation Red Signature, against organizations in South Korea.

The Operation Red Signature aimed at delivering a remote access Trojan (RAT) used by attackers to steal sensitive information from the victims.

Threat actors compromised update server of a remote support solutions provider, using this attack scheme hackers infected the victims with the 9002 RAT backdoor.

“Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.” reads the analysis published by TrendMicro.

The malicious code delivered by the attackers was signed with a valid digital certificate that was stolen, attackers also changed the configuration of the update server to deliver the malware only to organizations within a specified range of IP addresses.

According to Trend Micro, the attackers likely stole the code signing certificate in April and used it to sign the malicious update files then uploaded them on their servers.

Then the hackers compromised the server used to deliver the update and configured it to retrieve an update.zip file from the server controlled by the attackers.

Researchers observed that the 9002 RAT was also used to deliver additional payloads, such as an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper.

Hackers used the tools to steal data stored in their target’s web server and database.

“The update.zip file contains an update.ini file, which has the malicious update configuration that specifies the remote support solution program to download file000.zip and file001.zip and extract them as rcview40u.dll and rcview.log to the installation folder.” continues the analysis.

“The program will then execute rcview40u.dll, signed with the stolen certificate, with Microsoft register server (regsvr32.exe). This dynamic-link library (DLL) is responsible for decrypting the encrypted rcview.log file and executing it in memory. 9002 RAT is the decrypted rcview.log payload, which connects to the command-and-control (C&C) server at 66[.]42[.]37[.]101.”

The analysis of the 9002 RAT backdoor revealed it was compiled on July 17, 2018, and the configuration files inside update.zip were created on July 18. On July 18, the remote support program’s update process started, experts noticed that the 9002 RAT used supply chain attack was set to be inactive in August.

The RAT can fetch a long list of hacking tools reported in the following table:

Here’s a list of files that 9002 RAT retrieves and delivers to the affected system:

Filename	Tool	Purpose
dsget.exe	DsGet	View active directory objects
dsquery.exe	DsQuery	Search for active directory objects
sharphound.exe	SharpHound	Collect active directory information
aio.exe	All In One (AIO)	Publicly available hack tool
ssms.exe	SQL Password dumper	Dump password from SQL database
printdat.dll	RAT (PlugX variant)	Remote access tool
w.exe	IIS 6 WebDav Exploit Tool	Exploit tool for CVE-2017-7269 (IIS 6)
Web.exe	WebBrowserPassView	Recover password stored by browser
smb.exe	Scanner	Scans the system’s Windows version and computer name
m.exe	Custom Mimikatz (including 32bit / 64bit file)	Verify computer password and active directory credentials

“Supply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients or customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them, supply chain attacks affects the integrity and security of the goods and services that organizations provide,” Trend Micro concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – supply chain attack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]