lazarusholic

Everyday is lazarus.dayβ

Supply Chain Attack Operation Red Signature Targets South Korean Organizations

2018-08-21, TrendMicro
https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/
#RedSignature #RSupport #SupplyChain

Contents

APT & Targeted Attacks
Operation Red Signature Targets South Korean Companies
We uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.
Save to Folio
Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.
The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the …

IoC

0703a917aaa0630ae1860fb5fb1f64f3cfb4ea8c57eac71c2b0a407b738c4e19
207.148.94.157
279cf1773903b7a5de63897d55268aa967a87f915a07924c574e42c9ed12de30
28c5a6aefcc57e2862ea16f5f2ecb1e7df84b68e98e5814533262595b237917d
4ae4aed210f2b4f75bdb855f6a5c11e625d56de2
52374f68d1e43f1ca6cd04e5816999ba45c4e42eb0641874be25808c9fe15005
66.42.37.101
9415ca80c51b2409a88e26a9eb3464db636c2e27f9c61e247d15254e6fbb31eb
a3a1b1cf29a8f38d05b4292524c3496cb28f78d995dfb0a9aef7b2f949ac278b
bcfacc1ad5686aee3a9d8940e46d32af62f8e1cd1631653795778736b67b6d6e
c14ea9b81f782ba36ae3ea450c2850642983814a0f4dc0ea4888038466839c1e
e5029808f78ec4a079e889e5823ee298edab34013e50a47c279b6dc4d57b1ffc
e530e16d5756cdc2862b4c9411ac3bb3b113bc87344139b4bfa2c35cd816e518
http://207.148.94.157
http://207.148.94.157/Web.ex_
http://207.148.94.157/aio.exe
http://207.148.94.157/m.ex_
http://207.148.94.157/smb.exe
http://207.148.94.157/update/rcv50/file000.zip
http://207.148.94.157/update/rcv50/file001.zip
http://207.148.94.157/update/rcv50/update.zip
http://207.148.94.157/w
http://66.42.37.101
[email protected]