Security researchers have uncovered a new supply chain attack that targets organizations in South Korea. The threat actor chooses the victims selectively, based on an IP range for groups of interest.
Operation Red Signature popped on the researcher’s radar towards the end of July. To infiltrate the victims’ systems without triggering an alarm, the threat actor used the update server of a remote support solutions provider.
In a blog post today, TrendMicro’s Cyber Safety Solutions Team says that the compromised server was used to deliver an update tainted with a remote access tool called 9002 RAT.
The malicious actor made sure that the compromised version of the software did not spread to entities that were not of interest. For this, they set up the update server to send out the infected files only if their target was located within a specific range of IP addresses.
To avoid detection, the malicious update was signed with a valid certificate stolen from the remote solutions provider. It is unclear when this occurred, but researchers say that on April 8 they found a piece of malware that hid under the same stolen certificate.
With signed malware and access to the update server, all the threat actor had to do was to wait for a client to request a software update.
If the call came from the targeted IP range, the attacker sent the update server the malicious file packaged as “update.zip.” When the update executed, so did the 9002 RAT inside it.
“9002 RAT also installed additional malicious tools: an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an…