Supply Chain Attack Operation Red Signature Targets South Korean Organizations

2018-08-21 • Trend Micro •

https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/

#RedSignature #SupplyChain #RSupport

Thumbnail for Supply Chain Attack Operation Red Signature Targets South Korean Organizations

Operation Red Signature compromised a South Korean remote support provider's update server to deliver 9002 RAT to selected customer IP ranges. The attackers stole the vendor's code-signing certificate, signed malicious update files, and used the trusted update process to execute a DLL that decrypted and ran the RAT in memory. The payload connected to 66[.]42[.]37[.]101 and downloaded additional tools for Active Directory discovery, SQL password dumping, browser password recovery, Mimikatz activity, and exploitation of IIS 6 WebDAV via CVE-2017-7269. Trend Micro also observed a PlugX variant using the same C2 and infrastructure at 207[.]148[.]94[.]157, making the case important for defenders monitoring trusted software-update channels and post-compromise tooling.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	e5029808f78ec4a079e889e5823ee29…	2018-08-21	2018-08-21
HASH	0703a917aaa0630ae1860fb5fb1f64f…	2018-08-21	2018-08-21
HASH	279cf1773903b7a5de63897d55268aa…	2018-08-21	2018-08-21
HASH	c14ea9b81f782ba36ae3ea450c28506…	2018-08-21	2018-08-21
HASH	a3a1b1cf29a8f38d05b4292524c3496…	2018-08-21	2018-08-21
HASH	52374f68d1e43f1ca6cd04e5816999b…	2018-08-21	2018-08-21
HASH	28c5a6aefcc57e2862ea16f5f2ecb1e…	2018-08-21	2018-08-21
HASH	9415ca80c51b2409a88e26a9eb3464d…	2018-08-21	2018-08-21
HASH	e530e16d5756cdc2862b4c9411ac3bb…	2018-08-21	2018-08-21
HASH	bcfacc1ad5686aee3a9d8940e46d32a…	2018-08-21	2018-08-21
HASH	4ae4aed210f2b4f75bdb855f6a5c11e…	2018-08-21	2018-08-21
IPv4	66.42.37.101	2018-08-21	2018-08-21
IPv4	207.148.94.157	2018-08-21	2018-08-21