{
	"id": "1cc41583-0135-40b4-8dc7-eb2632fb8e18",
	"created_at": "2026-04-06T00:12:38.644859Z",
	"updated_at": "2026-04-10T03:30:25.856671Z",
	"deleted_at": null,
	"sha1_hash": "ba6f0382399628d54a9a44d5ca868890d2e10645",
	"title": "Operation Red Signature Targets South Korean Companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 716741,
	"plain_text": "Operation Red Signature Targets South Korean Companies\r\nPublished: 2018-08-21 · Archived: 2026-04-05 15:04:28 UTC\r\nTogether with our colleagues at IssueMakersLabopen on a new tab, we uncovered Operation Red Signature, an\r\ninformation theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks\r\naround the end of July, while the media reported the attack in South Korea on August 6.\r\nThe threat actors compromised the update server of a remote support solutions provider to deliver a remote access\r\ntool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing\r\nthe company’s certificate then using it to sign the malware. They also configured the update server to only deliver\r\nmalicious files if the client is located in the range of IP addresses of their target organizations.\r\n9002 RAT also installed additional malicious tools: an exploit tool for Internet Information Services (IIS) 6\r\nWebDav (exploiting CVE-2017-7269) and an SQL database password dumper. These tools hint at how the\r\nattackers are also after data stored in their target’s web server and database.\r\nFigure 1. Operation Red Signature’s attack chain\r\nHere’s how Operation Red Signature works:\r\nhttps://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html\r\nPage 1 of 7\n\n1. The code-signing certificate from the remote support solutions provider is stolen. It’s possible that the\r\ncertificate was stolen as early as April 2018, as we found a ShiftDoor malware\r\n(4ae4aed210f2b4f75bdb855f6a5c11e625d56de2) on April 8 that was signed with the stolen certificate.\r\n2. Malicious update files are prepared, signed with the stolen certificate, and uploaded to the attacker’s server\r\n(207[.]148[.]94[.]157).\r\n3. The update server of the company is hacked.\r\n4. The update server is configured to receive an update.zip file from the attackers’ server if a client is\r\nconnecting from a specific range of IP addresses belonging to their targeted organizations.\r\n5. The malicious update.zip file is sent to the client when the remote support program is executed.\r\n6. The remote support program recognizes the update files as normal and executes the 9002 RAT malware\r\ninside it.\r\n7. 9002 RAT downloads and executes additional malicious files from the attackers’ server.\r\nTechnical analysis\r\nThe update.zip file contains an update.ini file, which has the malicious update configuration that specifies the\r\nremote support solution program to download file000.zip and file001.zip and extract them as rcview40u.dll and\r\nrcview.log to the installation folder.\r\nThe program will then execute rcview40u.dll, signed with the stolen certificate, with Microsoft register server\r\n(regsvr32.exe). This dynamic-link library (DLL) is responsible for decrypting the encrypted rcview.log file and\r\nexecuting it in memory. 9002 RAT is the decrypted rcview.log payload, which connects to the command-and-control (C\u0026C) server at 66[.]42[.]37[.]101.\r\nhttps://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html\r\nPage 2 of 7\n\nFigure 2. Contents of the malicious update configuration\r\nFigure 3. How the compromised update process launches the 9002 RAT malware\r\nhttps://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html\r\nPage 3 of 7\n\nFigure 4. Known 9002 RAT string pattern inside the decrypted payload of the rcview.log file\r\nCorrelating 9002 RAT \r\nDelving into 9002 RAT, we found that it was compiled on July 17, 2018, and that the configuration files inside\r\nupdate.zip were created on July 18. Our analysis of an update log file we found reveals the remote support\r\nprogram’s update process started around 13:35 on July 18, with the 9002 RAT being downloaded and launched.\r\nWe also saw the RAT file used for this specific attack was set to be inactive in August, so we can construe that the\r\nRAT’s activity was rather short-lived (from July 18 to July 31).\r\nFigure 5. Compilation timestamp on 9002 RAT sample (top), timestamp of the malicious configuration (center),\r\nand snapshot of the program’s update log (bottom)\r\nFigure 6. Code snippet showing 9002 RAT checking the system time and setting itself to sleep in August 2018\r\nAdditional malware tools\r\nThe 9002 RAT also serves as a springboard for delivering additional malware. Most of these are downloaded as\r\nfiles compressed with the Microsoft cabinet format (.cab). This is most likely done to avoid detection by antivirus\r\n(AV) solutions.\r\nhttps://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html\r\nPage 4 of 7\n\nHere’s a list of files that 9002 RAT retrieves and delivers to the affected system:\r\nFilename Tool Purpose\r\ndsget.exe DsGet View active directory objects\r\ndsquery.exe DsQuery Search for active directory objects\r\nsharphound.exe SharpHound Collect active directory information\r\naio.exe All In One (AIO) Publicly available hack tool\r\nssms.exe SQL Password dumper Dump password from SQL database\r\nprintdat.dll RAT (PlugX variant) Remote access tool\r\nw.exe IIS 6 WebDav Exploit Tool Exploit tool for CVE-2017-7269 (IIS 6)\r\nWeb.exe WebBrowserPassView Recover password stored by browser\r\nsmb.exe Scanner\r\nScans the system’s Windows version and\r\ncomputer name\r\nm.exe\r\nCustom Mimikatz (including 32bit /\r\n64bit file)\r\nVerify computer password and active directory\r\ncredentials\r\nFigure 7. Downloaded Web.ex_ cabinet file (left) and decompressed Web.exe file (right)\r\nOne of the downloaded files printdat.dll, which is another RAT. It is a variant of PlugX malware, and connects to\r\nthe same C\u0026C server (66[.]42[.]37[.]101).\r\nFigure 8. Internal PlugX date dword value inside the printdat.dll file\r\nhttps://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html\r\nPage 5 of 7\n\nMitigating supply chain attacks\r\nSupply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients\r\nor customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them,\r\nsupply chain attacks affects the integrity and security of the goods and services that organizations provide. In\r\nhealthcarenews article, for instance, where the industry heavily relies on third-party and cloud-based servicesnews\r\narticle, supply chain attacks can risk the privacy of personally identifiable data and intellectual property, disrupt\r\nhospital operations, and even endanger patient health. And when stacked up with regulations such as the EU\r\nGeneral Data Protection and Regulation (GDPR), the impact can be exacerbated.\r\nHere are some best practices:\r\nOverseenews- cybercrime-and-digital-threats third-party products and services; apart from ensuring the\r\nsecurity of the organization’s own online premises (e.g., patching, authentication mechanisms), security\r\ncontrols must also be in place in third-party applications being used.\r\nDevelop a proactive incident response strategy: Supply chain attacks are often targeted; organizations must\r\nbe able to fully understand, manage, and monitor the risks involved in third-party vendors.\r\nProactively monitor the network for anomalous activities; firewallsnews article and intrusion detection and\r\nprevention systemsproducts help mitigate network-based threats.\r\nEnforce the principle of least privilegenews- cybercrime-and-digital-threats: Network segmentationnews\r\narticle, data categorizationnews article, restrictionnews- cybercrime-and-digital-threats of system\r\nadministration toolsnews article, and application control help deter lateral movement and minimize data\r\nbeing exposed.\r\nTrend Micro Solutions\r\nThe Trend Micro™ Deep Discoveryproducts™ solution provides detection, in-depth analysis, and proactive\r\nresponse to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense\r\ntailored to protect organizations against targeted attacks and advanced threats through specialized engines,\r\ncustom sandboxingnews article, and seamless correlation across the entire attack life cycle, allowing it to detect\r\nthreats even without any engine or pattern update. Trend Micro endpoint solutions such as the Smart Protection\r\nSuitesproducts and Worry-Free Business Security solutions can protect users and businesses from threats by\r\ndetecting malicious files and blocking all related malicious URLs.\r\nIndicators of Compromise (IoCs):\r\nRelated hashes (SHA-256):\r\n0703a917aaa0630ae1860fb5fb1f64f3cfb4ea8c57eac71c2b0a407b738c4e19 (ShiftDoor) — detected by\r\nTrend Micro as BKDR_SETHC.D\r\nc14ea9b81f782ba36ae3ea450c2850642983814a0f4dc0ea4888038466839c1e (aio.exe) — HKTL_DELOG\r\na3a1b1cf29a8f38d05b4292524c3496cb28f78d995dfb0a9aef7b2f949ac278b (m.exe) —\r\nHKTL_MIMIKATZ\r\n9415ca80c51b2409a88e26a9eb3464db636c2e27f9c61e247d15254e6fbb31eb (printdat.dll)\r\n— TSPY_KORPLUG.AN\r\nhttps://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html\r\nPage 6 of 7\n\n52374f68d1e43f1ca6cd04e5816999ba45c4e42eb0641874be25808c9fe15005 (rcview.log) —\r\nTROJ_SIDELOADR.ENC\r\nbcfacc1ad5686aee3a9d8940e46d32af62f8e1cd1631653795778736b67b6d6e (rcview40u.dll) —\r\nTROJ_SIDELOADR.A\r\n279cf1773903b7a5de63897d55268aa967a87f915a07924c574e42c9ed12de30 (sharphound.exe)\r\n— HKTL_BLOODHOUND\r\ne5029808f78ec4a079e889e5823ee298edab34013e50a47c279b6dc4d57b1ffc (ssms.exe)\r\n— HKTL_PASSDUMP\r\ne530e16d5756cdc2862b4c9411ac3bb3b113bc87344139b4bfa2c35cd816e518 (w.exe)\r\n— TROJ_CVE20177269.MOX\r\n28c5a6aefcc57e2862ea16f5f2ecb1e7df84b68e98e5814533262595b237917d (Web.exe)\r\n— HKTL_BROWSERPASSVIEW.GA\r\nURLs related to the malicious update file:\r\nhxxp://207[.]148[.]94[.]157/update/rcv50/update.zip\r\nhxxp://207[.]148[.]94[.]157/update/rcv50/file000.zip\r\nhxxp://207[.]148[.]94[.]157/update/rcv50/file001.zip\r\nURLs related to additionally downloaded malicious files:\r\nhxxp://207[.]148[.]94[.]157/aio.exe\r\nhxxp://207[.]148[.]94[.]157/smb.exe\r\nhxxp://207[.]148[.]94[.]157/m.ex_\r\nhxxp://207[.]148[.]94[.]157/w\r\nhxxp://207[.]148[.]94[.]157/Web.ex_\r\nRelated C\u0026C server (9002 RAT and PlugX variant):\r\n66[.]42[.]37[.]101\r\nSource: https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.htm\r\nl\r\nhttps://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html"
	],
	"report_names": [
		"supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html"
	],
	"threat_actors": [
		{
			"id": "8860d9ac-afa8-454d-9d86-926aa8dd5019",
			"created_at": "2024-02-08T02:00:04.313581Z",
			"updated_at": "2026-04-10T02:00:03.582422Z",
			"deleted_at": null,
			"main_name": "Operation Red Signature",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation Red Signature",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "446025dc-d003-448e-a5ea-43ce24bc883d",
			"created_at": "2022-10-25T16:07:23.997281Z",
			"updated_at": "2026-04-10T02:00:04.827365Z",
			"deleted_at": null,
			"main_name": "Operation Red Signature",
			"aliases": [],
			"source_name": "ETDA:Operation Red Signature",
			"tools": [
				"9002 RAT",
				"HOMEUNIX",
				"HidraQ",
				"Homux",
				"Hydraq",
				"McRAT",
				"MdmBot",
				"Roarur"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434358,
	"ts_updated_at": 1775791825,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba6f0382399628d54a9a44d5ca868890d2e10645.pdf",
		"text": "https://archive.orkl.eu/ba6f0382399628d54a9a44d5ca868890d2e10645.txt",
		"img": "https://archive.orkl.eu/ba6f0382399628d54a9a44d5ca868890d2e10645.jpg"
	}
}