Wednesday, February 12, 2025
Follow us On Linkedin
HomeComputer SecurityOperation Red Signature Deliver's Malware to Target Organizations Through Outside Partner Network

Operation Red Signature Deliver’s Malware to Target Organizations Through Outside Partner Network

Computer SecurityMalware

Published on

By Gurubaran
Operation Red Signature Deliver’s Malware to Target Organizations Through Outside Partner Network

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Supply Chain Attacks occurs is an advanced threat that determines the weak link in the supply chain to infiltrate into the organization network.

Security researchers from TrendMicro and IssueMakersLab uncovered Operation Red Signature that launches supply chain attacks targeting organizations in South Korea.

The Threats actor’s behind Operation Red Signature have compromised the server of the support solution provider to deliver remote access tool “9002 RAT” though the update process. The RAT also contains an exploit tool for vulnerability CVE-2017-7269 and an SQL password dumper.

Threat actor’s configured the update servers of support solution provider to deliver malicious files if the victim in their range of interest based on the IP address and the target organizations.

How Operation Red Signature Works

Attackers stolen the codesigning certificates of the support solution providers and signed the malicious files with the stolen certificate and upload to the attacker’s server.

Operation Red Signature

Then the hacked update server of support solution provider is configured to receive the file “update.zip” from the attacker’s server if the user found within the attacker’s interest.

The update.zip contains two files “update.ini” which holds the configuration of remote support solution program and downloads “file000.zip” and “file001.zip” and extracted as “rcview40u.dll” and “rcview.log“.

Operation Red Signature

Then the file “rcview40u.dll” signed with the stolen codesigning certificate will be executed and the DDL files are responsible for decoding the rcview.log file.

The rcview.log is decrypted to 9002 RAT which is the final payload and it connect’s to the C&C server hosted at IP 66[.]42[.]37[.]101.

Researchers said that the 9002 RAT was compiled on July 17, 2018, and starting from 13:35 on July 18 the 9002 RAT being downloaded once the update started. The RAT also serves as a springboard to deliver other malware’s.

Also Read

Beware of Dangerous Android Triout Malware That Records Phone Calls, Videos and Steals Pictures

Dark Tequila Malware Steals Financial Information and Login Details of Popular Websites

New Marap Malware Targeting Financial Institutions Via Microsoft Office and PDF Documents

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CVE/vulnerability

Critical Ivanti CSA Vulnerability Allows Attackers Remote Code Execution to Gain Restricted Access

A critical vulnerability has been discovered in the Ivanti Cloud Services Application (CSA), potentially...
CVE/vulnerability

Critical OpenSSL Vulnerability Let Attackers Launch Man-in-the-Middle Attacks

A high-severity security vulnerability (CVE-2024-12797) has been identified in OpenSSL, one of the most...
CVE/vulnerability

Fortinet FortiOS & FortiProxy Zero-Day Exploited to Hijack Firewall & Gain Super Admin Access

Cybersecurity firm Fortinet has issued an urgent warning regarding a newly discovered zero-day authentication...
Cyber Security News

Microsoft Patch Tuesday February 2025: 61 Vulnerabilities Including 25 RCE & 3 0-Day

Microsoft has released its highly anticipated Patch Tuesday security updates for February 2025, addressing...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

APT

EARLYCROW: Detecting APT Malware Command and Control Activities Over HTTPS

Advanced Persistent Threats (APTs) represent a sophisticated and stealthy category of cyberattacks targeting critical...
cyber security

FinStealer Malware Targets Leading Indian Bank’s Mobile Users, Stealing Login Credentials

A new cybersecurity threat has emerged, targeting customers of a prominent Indian bank through...
cyber security

Researchers Found North Korean Hackers Advanced Tactics, techniques, and procedures

Recent research has highlighted the increasingly sophisticated tactics, techniques, and procedures (TTPs) employed by...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved