Operation Red Signature campaign found delivering 9002 RAT to South Korean organizations

• The campaign involves compromising the update server of a remote support solutions provider.
• 9002 RAT is capable of installing additional malicious tools, such an exploit tool for IIS and an SQL database password dumper.

Operation Red Signature is a data theft-driven supply-chain attack campaign that targets South Korean organizations. The campaign involves cybercriminals infecting targeted systems with a remote access tool called 9002 RAT.

The Operation Red Signature campaign involves compromising the update server of a remote support solutions provider, by stealing a targeted firm’s code-signing certificates, to sign the 9002 RAT malware. The attackers also configured the update server to only deliver malware if the client is located within the range of the IP addresses of the targeted organizations.

9002 RAT

9002 RAT is capable of installing additional malicious tools, such as an exploit tool for IIS and an SQL database password dumper. These additional tools indicate that the cybercriminals behind Operation Red Signature are also looking to exfiltrate the data stored in their targets’ databases and web servers.

According to security researchers at Trend Micro, who monitored the campaign, 9002 RAT was developed in July 2018 and the remote support program’s update process started on July 18.

“We also saw the RAT file used for this specific attack was set to be inactive in August, so we can construe that the RAT’s activity was rather short-lived (from July 18 to July 31),” Trend Micro researchers wrote in a blog. “The 9002 RAT also serves as a springboard for delivering additional malware. Most of these are downloaded as files compressed with the Microsoft cabinet format (.cab). This is most likely done to avoid detection by antivirus (AV) solutions.”

How Operation Red Signature works

To ensure the success of the campaign, the cybercriminals behind Operation Red Signature first stole the code-signing certificate from the remote support solutions provider. The ShiftDoor malware was found signed with the stolen certificates. These certificates were then uploaded to C2 server.

Next, the update server of the company was hacked and configured to only receive a malicious file if the client was connecting from within the range of the IP addresses belonging to the targeted organizations.

“Supply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients or customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them, supply chain attacks affects the integrity and security of the goods and services that organizations provide,” Trend Micro researchers said.

“In healthcare, for instance, where the industry heavily relies on third-party and cloud-based services, supply chain attacks can risk the privacy of personally identifiable data and intellectual property, disrupt hospital operations, and even endanger patient health,” the researchers added.