The Operation Red Signature aimed at delivering a remote access Trojan (RAT) used by attackers to steal sensitive information from the victims.
Threat actors compromised update server of a remote support solutions provider, using this attack scheme hackers infected the victims with the 9002 RAT backdoor.
“Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.” reads the analysis published by TrendMicro.
The malicious code delivered by the attackers was signed with a valid digital certificate that was stolen, attackers also changed the configuration of the update server to deliver the malware only to organizations within a specified range of IP addresses.
According to Trend Micro, the attackers likely stole the code signing certificate in April and used it to sign the malicious update files then uploaded them on their servers.
Then the hackers compromised the server used to deliver the update and configured it to retrieve an update.zip file from the server controlled by the attackers.
Researchers observed that the 9002 RAT was also used to deliver additional payloads, such as an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper.
“The update.zip file contains an update.ini file, which has the malicious update configuration that specifies the remote support solution program to download file000.zip and file001.zip and extract them as rcview40u.dll and rcview.log to the installation folder.” continues the analysis.
“The program will then execute rcview40u.dll, signed with the stolen certificate, with Microsoft register server (regsvr32.exe). This dynamic-link library (DLL) is responsible for decrypting the encrypted rcview.log file and executing it in memory. 9002 RAT is the decrypted rcview.log payload, which connects to the command-and-control (C&C) server at 66[.]42[.]37[.]101.”
The analysis of the 9002 RAT backdoor revealed it was compiled on July 17, 2018, and the configuration files inside update.zip were created on July 18. On July 18, the remote support program’s update process started, experts noticed that the 9002 RAT used supply chain attack was set to be inactive in August.
The RAT can fetch a long list of hacking tools reported in the following table:
Here’s a list of files that 9002 RAT retrieves and delivers to the affected system:
|dsget.exe||DsGet||View active directory objects|
|dsquery.exe||DsQuery||Search for active directory objects|
|sharphound.exe||SharpHound||Collect active directory information|
|aio.exe||All In One (AIO)||Publicly available hack tool|
|ssms.exe||SQL Password dumper||Dump password from SQL database|
|printdat.dll||RAT (PlugX variant)||Remote access tool|
|w.exe||IIS 6 WebDav Exploit Tool||Exploit tool for CVE-2017-7269 (IIS 6)|
|Web.exe||WebBrowserPassView||Recover password stored by browser|
|smb.exe||Scanner||Scans the system’s Windows version and computer name|
|m.exe||Custom Mimikatz (including 32bit / 64bit file)||Verify computer password and active directory credentials|
“Supply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients or customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them, supply chain attacks affects the integrity and security of the goods and services that organizations provide,” Trend Micro concludes.