|Col1|Home|Categories|Col4| |---|---|---|---| Search: #### Home Categories [Home » Malware » Supply Chain Attack Operation Red Signature Targets South Korean Organizations](https://blog.trendmicro.com/trendlabs-security-intelligence/) #### Featured Stories # Supply Chain Attack Operation Red Signature Targets systemd Vulnerability Leads to Denial of Service South Korean Organizations on Linux qkG Filecoder: Self-Replicating, Document- **[Posted on: August 21, 2018](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/08/)** at 6:04 am **[Posted in: Malware,](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** [Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/) Encrypting Ransomware **[Author: Trend Micro Cyber Safety Solutions Team](https://blog.trendmicro.com/trendlabs-security-intelligence/author/cybersafety/)** **_by Jaromir Horejsi, Joseph C. Chen, Kawabata Kohei, and_** Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability **_Kenney Lu_** [A Closer Look at North Korea’s Internet](http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) [Together with our colleagues at IssueMakersLab, we uncovered](http://www.issuemakerslab.com/) Operation Red Signature, an information theft-driven supply [From Cybercrime to Cyberpropaganda](http://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media [reported the attack in South Korea on August 6.](https://www.boannews.com/media/view.asp?idx=72002&mkind=1&kind=1) Security Predictions for 2018 The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organizations. ----- users and enterprises to catch up with their security. [Read our security predictions for 2018.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018) #### Business Process Compromise Attackers are starting to invest in long- term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise. #### Recent Posts _Figure 1. Operation Red Signature’s attack chain_ Here’s how Operation Red Signature works: Supply Chain Attack Operation Red Signature Targets South Korean Organizations 1. The code-signing certificate from the remote support solutions provider is stolen. It’s possible that the certificate was stolen as early as April 2018, as we found a ShiftDoor malware Use-after-free (UAF) Vulnerability CVE-2018-8373 [in VBScript Engine Affects Internet Explorer to Run](https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/) (4ae4aed210f2b4f75bdb855f6a5c11e625d56de2) on April 8 that was signed with the stolen Shellcode certificate. 2. Malicious update files are prepared, signed with the stolen certificate, and uploaded to the [August Patch Tuesday: A Tale of Two Zero-Days](https://blog.trendmicro.com/trendlabs-security-intelligence/august-patch-tuesday-a-tale-of-two-zero-days/) attacker’s server (207[.]148[.]94[.]157). Ransomware as a Service Princess Evolution 3. The update server of the company is hacked. Looking for Affiliates 4. The update server is configured to receive an update.zip file from the attackers’ server if a How Machine Learning Can Help Identify Web ----- 6. The remote support program recognizes the update files as normal and executes the 9002 The Need for Managed Detection and Response: [Persistent and Prevalent Threats in North](https://blog.trendmicro.com/trendlabs-security-intelligence/the-need-for-managed-detection-and-response-persistent-and-prevalent-threats-in-north-americas-security-landscape/) RAT malware inside it. America’s Security Landscape 7. 9002 RAT downloads and executes additional malicious files from the attackers’ server. New Underminer Exploit Kit Delivers Bootkit and **_Technical analysis_** [Cryptocurrency-mining Malware with Encrypted](https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/) The update.zip file contains an update.ini file, which has the malicious update configuration that TCP Tunnel specifies the remote support solution program to download file000.zip and file001.zip and extract How Machine Learning Can Help Identify Web them as rcview40u.dll and rcview.log to the installation folder. Defacement Campaigns The program will then execute rcview40u.dll, signed with the stolen certificate, with Microsoft Malware Targeting Bitcoin ATMs Pops Up in the register server (regsvr32.exe). This dynamic-link library (DLL) is responsible for decrypting the Underground encrypted rcview.log file and executing it in memory. 9002 RAT is the decrypted rcview.log Ransomware as a Service Princess Evolution payload, which connects to the command-and-control (C&C) server at 66[.]42[.]37[.]101. Looking for Affiliates #### Stay Updated Email Subscription Your email here Subscribe ----- _Figure 2. Contents of the malicious update configuration_ ----- _Figure 3. How the compromised update process launches the 9002 RAT malware_ _[Figure 4. Known 9002 RAT string pattern inside the decrypted payload of the rcview.log file](https://www.sans.org/summit-archives/file/summit-archive-1492182101.pdf)_ **_Correlating 9002 RAT_** Delving into 9002 RAT, we found that it was compiled on July 17, 2018, and that the configuration files inside update.zip were created on July 18. Our analysis of an update log file we found reveals the remote support program’s update process started around 13:35 on July 18, with the 9002 RAT being downloaded and launched. We also saw the RAT file used for this specific attack was set to be inactive in August, so we can construe that the RAT’s activity was rather short-lived (from July 18 to July 31). ----- |Filename|Tool|Purpose| |---|---|---| |dsget.exe|DsGet|View active directory objects| |dsquery.exe|DsQuery|Search for active directory objects| |sharphound.ex e|SharpHound|Collect active directory information| |aio.exe|All In One (AIO)|Publicly available hack tool| |ssms.exe|SQL Password dumper|Dump password from SQL database| _Figure 5. Compilation timestamp on 9002 RAT sample (top), timestamp of the malicious_ _configuration (center), and snapshot of the program’s update log (bottom)_ _Figure 6. Code snippet showing 9002 RAT checking the system time and setting itself to sleep in_ _August 2018_ **_Additional malware tools_** The 9002 RAT also serves as a springboard for delivering additional malware. Most of these are downloaded as files compressed with the Microsoft cabinet format (.cab). This is most likely done to avoid detection by antivirus (AV) solutions. Here’s a list of files that 9002 RAT retrieves and delivers to the affected system: **Filename** **Tool** **Purpose** dsget.exe DsGet View active directory objects dsquery.exe DsQuery Search for active directory objects sharphound.ex SharpHound Collect active directory information e aio.exe All In One (AIO) Publicly available hack tool ssms.exe SQL Password Dump password from SQL database dumper printdat.dll RAT (PlugX Remote access tool ----- |w.exe|IIS 6 WebDav Exploit Tool|Exploit tool for CVE-2017-7269 (IIS 6)| |---|---|---| |Web.exe|WebBrowserPa ssView|Recover password stored by browser| |smb.exe|Scanner|Scans the system’s Windows version and computer name| |m.exe|Custom Mimikatz (including 32bit / 64bit file)|Verify computer password and active directory credentials| Web.exe WebBrowserPa Recover password stored by browser ssView smb.exe Scanner Scans the system’s Windows version and computer name m.exe Custom Verify computer password and active directory Mimikatz credentials (including 32bit / 64bit file) _Figure 7. Downloaded Web.ex_ cabinet file (left) and decompressed Web.exe file (right)_ One of the downloaded files printdat.dll, which is another RAT. It is a variant of PlugX malware, and connects to the same C&C server (66[.]42[.]37[.]101). _Figure 8. Internal PlugX date dword value inside the printdat.dll file_ **_Mitigating supply chain attacks_** Supply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients or customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them, supply chain attacks affects the integrity and security of [the goods and services that organizations provide. In healthcare, for instance, where the industry](https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/exposed-medical-devices-and-supply-chain-attacks-in-connected-hospitals) ----- Here are some best practices: [Oversee third-party products and services; apart from ensuring the security of the](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/data-breaches-highlight-the-need-for-managed-detection-and-response#thirdparty) organization’s own online premises (e.g., patching, authentication mechanisms), security controls must also be in place in third-party applications being used. Develop a proactive incident response strategy: Supply chain attacks are often targeted; organizations must be able to fully understand, manage, and monitor the risks involved in third-party vendors. [Proactively monitor the network for anomalous activities; firewalls and intrusion detection and](https://www.trendmicro.com/vinfo/us/security/news/security-technology/best-practices-deploying-an-effective-firewall) prevention systems help mitigate network-based threats. [Enforce the principle of least privilege: Network segmentation, data categorization, restriction](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-can-the-network-be-protected-from-targeted-attacks) [of system administration tools, and application control help deter lateral movement and](https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell) minimize data being exposed. **_Trend Micro Solutions_** [The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive](https://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/) response to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced [threats through specialized engines, custom sandboxing, and seamless correlation across the](https://www.trendmicro.com/vinfo/us/security/news/security-technology/how-can-advanced-sandboxing-techniques-thwart-elusive-malware) entire attack life cycle, allowing it to detect threats even without any engine or pattern update. [Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business](http://www.trendmicro.com/us/business/complete-user-protection/index.html) Security solutions can protect users and businesses from threats by detecting malicious files and blocking all related malicious URLs. **_Indicators of Compromise (IoCs):_** _Related hashes (SHA-256):_ 0703a917aaa0630ae1860fb5fb1f64f3cfb4ea8c57eac71c2b0a407b738c4e19 (ShiftDoor) — detected by Trend Micro as BKDR_SETHC.D c14ea9b81f782ba36ae3ea450c2850642983814a0f4dc0ea4888038466839c1e (aio.exe) — HKTL_DELOG ----- 52374f68d1e43f1ca6cd04e5816999ba45c4e42eb0641874be25808c9fe15005 (rcview.log) — TROJ_SIDELOADR.ENC bcfacc1ad5686aee3a9d8940e46d32af62f8e1cd1631653795778736b67b6d6e (rcview40u.dll) — TROJ_SIDELOADR.A 279cf1773903b7a5de63897d55268aa967a87f915a07924c574e42c9ed12de30 (sharphound.exe) — HKTL_BLOODHOUND e5029808f78ec4a079e889e5823ee298edab34013e50a47c279b6dc4d57b1ffc (ssms.exe) — HKTL_PASSDUMP e530e16d5756cdc2862b4c9411ac3bb3b113bc87344139b4bfa2c35cd816e518 (w.exe) — TROJ_CVE20177269.MOX 28c5a6aefcc57e2862ea16f5f2ecb1e7df84b68e98e5814533262595b237917d (Web.exe) — HKTL_BROWSERPASSVIEW.GA _URLs related to the malicious update file:_ hxxp://207.148.94[.]157/update/rcv50/update.zip hxxp://207.148.94[.]157/update/rcv50/file000.zip hxxp://207.148.94[.]157/update/rcv50/file001.zip _URLs related to additionally downloaded malicious files:_ hxxp://207[.]148[.]94[.]157/aio.exe hxxp://207[.]148[.]94[.]157/smb.exe hxxp://207[.]148[.]94[.]157/m.ex_ hxxp://207[.]148[.]94[.]157/w hxxp://207[.]148[.]94[.]157/Web.ex_ _Related C&C server (9002 RAT and PlugX variant):_ 66[.]42[.]37[.]101 ----- **an Evolved RATANKBA, and More** **[Tropic Trooper’s New Strategy](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [Operation Red Signature](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/operation-red-signature/) [South Korea](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/south-korea/) [supply chain](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/supply-chain/) ----- [HOME AND HOME OFFICE |](http://www.trendmicro.com/us/home/index.html) [FOR BUSINESS](http://www.trendmicro.com/us/business/index.html) | [SECURITY INTELLIGENCE |](http://www.trendmicro.com/us/security-intelligence/index.html) [ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schw eiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2018 Trend Micro Incorporated. All rights reserved. -----