Monday, February 10, 2025
Follow us On Linkedin
HomeComputer SecurityOperation Red Signature Deliver's Malware to Target Organizations Through Outside Partner Network

Operation Red Signature Deliver’s Malware to Target Organizations Through Outside Partner Network

Computer SecurityMalware

Published on

By Gurubaran
Operation Red Signature Deliver’s Malware to Target Organizations Through Outside Partner Network

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Supply Chain Attacks occurs is an advanced threat that determines the weak link in the supply chain to infiltrate into the organization network.

Security researchers from TrendMicro and IssueMakersLab uncovered Operation Red Signature that launches supply chain attacks targeting organizations in South Korea.

The Threats actor’s behind Operation Red Signature have compromised the server of the support solution provider to deliver remote access tool “9002 RAT” though the update process. The RAT also contains an exploit tool for vulnerability CVE-2017-7269 and an SQL password dumper.

Threat actor’s configured the update servers of support solution provider to deliver malicious files if the victim in their range of interest based on the IP address and the target organizations.

How Operation Red Signature Works

Attackers stolen the codesigning certificates of the support solution providers and signed the malicious files with the stolen certificate and upload to the attacker’s server.

Operation Red Signature

Then the hacked update server of support solution provider is configured to receive the file “update.zip” from the attacker’s server if the user found within the attacker’s interest.

The update.zip contains two files “update.ini” which holds the configuration of remote support solution program and downloads “file000.zip” and “file001.zip” and extracted as “rcview40u.dll” and “rcview.log“.

Operation Red Signature

Then the file “rcview40u.dll” signed with the stolen codesigning certificate will be executed and the DDL files are responsible for decoding the rcview.log file.

The rcview.log is decrypted to 9002 RAT which is the final payload and it connect’s to the C&C server hosted at IP 66[.]42[.]37[.]101.

Researchers said that the 9002 RAT was compiled on July 17, 2018, and starting from 13:35 on July 18 the 9002 RAT being downloaded once the update started. The RAT also serves as a springboard to deliver other malware’s.

Also Read

Beware of Dangerous Android Triout Malware That Records Phone Calls, Videos and Steals Pictures

Dark Tequila Malware Steals Financial Information and Login Details of Popular Websites

New Marap Malware Targeting Financial Institutions Via Microsoft Office and PDF Documents

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Attack

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...
cyber security

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...
cyber security

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...
cyber security

Ransomware Payments Plunge 35% as More Victims Refuse to Pay

In a significant shift within the ransomware landscape, global ransom payments plummeted by 35%...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

cyber security

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...
cyber security

NanoCore RAT Attack Windows Using Task Scheduler to Captures keystrokes, screenshots

NanoCore, a notorious Remote Access Trojan (RAT), continues to pose a significant threat to...
cyber security

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved