Remote support updater delivered 9002 RAT

Operation Red Signature was narrow by design. Trend Micro and IssueMakersLab found that the attackers did not simply post a poisoned installer and wait. They compromised the update server of a South Korean remote-support software provider, stole the provider's code-signing certificate, and used both pieces together.

The update server acted as the selector. When the remote-support client checked in from ordinary networks, it could receive normal behavior. When it came from IP ranges belonging to targeted South Korean organizations, the server redirected the update path toward attacker-controlled infrastructure at 207.148.94.157 and delivered a malicious update.zip.

That archive carried an update.ini telling the client to download file000.zip and file001.zip, extract them as rcview40u.dll and rcview.log, and run the DLL through regsvr32.exe. The DLL was signed with the stolen vendor certificate, so it fit the trust model expected by the updater. Its job was to decrypt rcview.log in memory and launch 9002 RAT, which then connected to 66.42.37.101.

The payload was built for intrusion, not noise. 9002 RAT pulled down cabinet-compressed tools for Active Directory discovery, password dumping, browser-password recovery, IIS 6 WebDAV exploitation, scanning, Mimikatz-style credential checks, and a PlugX variant that used the same command-and-control server. Trend Micro saw the RAT compiled on July 17, 2018, the malicious configuration created on July 18, and an update log showing execution at about 13:35 on July 18. The malware was also coded to sleep in August, making the observed activity window short.

A later Avast/Gen report on a U.S. government commission found an oci.dll decryptor that closely resembled Red Signature's rcview40u.dll. That is useful lineage evidence, but it is not the same supply-chain incident unless a compromised updater is shown. For this catalog, the scoped attack is the South Korean remote-support update channel that delivered a signed, targeted 9002 RAT payload.

Motive

Espionage Data Theft

Attribution

Group

Cause

Server Compromise

Transitive

No

• campaignOperation Red Signature
• family9002 RAT
• familyPlugX
• familyShiftDoor
• fileupdate.zip
• fileupdate.ini
• filercview40u.dll
• filercview.log
• processregsvr32.exe
• ip207.148.94.157
• ip66.42.37.101
• observableUpdate server delivered the malicious update only to configured target organization IP ranges.
• observableMalware used a stolen remote-support provider certificate to satisfy the updater's trust path.

• Operation Red Signature Targets South Korean Companiestrendmicro.com
• Malware disguised as company document related to inter-Korean economic cooperationtaylor-blog.issuemakerslab.com
• Operation Red Signature - South Korean Firms victims of a supply chain attacksecurityaffairs.com
• Operation Red Signature delivers malware through remote support updatesgbhackers.com
• Avast finds backdoor on US government commission networkgendigital.com
• Chinese mirror of Operation Red Signature reportingm.51dns.com
• Operation Red Signature mirrortlkjt.com
• Operation Red Signature mirrorstackbrothersvps.com
• Tencent Cloud mirror of Operation Red Signature reportingcloud.tencent.cn