Researchers from Trend Micro have exposed two criminal cyber campaigns targeting South Korean organizations – one, a supply chain attack delivering a remote access tool under the guise of a software update, and two, a ransomware attack leveraging malicious .egg files.
The RAT attack, assigned the moniker “Operation Red Signature,” was co-discovered alongside South Korean cyber firm IssueMakersLab last July and subsequently reported by South Korean media earlier this month. According to a Trend Micro blog post published today, the attackers compromised and reconfigured an update server belonging to a remote support solutions provider (left unnamed), so that instead of delivering a legitimate update, it would distribute 9002 RAT malware to targets.
“They carried this out by first stealing the company's certificate, then using it to sign the malware,” the blog post states, suggesting the certificate theft may have taken place as far back as April 2018. “They also configured the [compromised] update server to only deliver malicious files if the client is located in the range of IP addresses of their target organizations.”
In those instances when the victim's IP address was in the target range, the compromised server would then receive an update.zip file – containing the 9002 RAT malware – from the attackers' server. The malware would arrive in encrypted form and then was executed in memory and subsequently decrypted.
An analysis of 9002 RAT found that the malware was compiled on July 17, and programmed to go inactive by July 31 – an indication of a narrow attack window. Likely intended to aid in information stealing efforts, the RAT is able to install additional malicious components, downloaded as files compressed with the Microsoft cabinet format (.cab) in order to help evade anti-virus protections. These components included an exploit for Internet Information Services (IIS) 6 WebDav (CVE-2017-7269), a SQL database password dumper, a variant of the PlugX RAT, a customized version of Mimikatz, and various hacking and information collection tools.
“These tools hint at how the attackers are also after data stored in their target's web server and database,” the blog post continues.
The second campaign affecting South Korea that Trend Micro reported on this week consisted of an Aug. 7 GandCrab ransomware attack that used spam mails abusing .egg files to deliver version 4.3 of the malicious file encryptor.
The malicious emails purported to contain an official notification pertaining to an investigation into an unspecified e-commerce transaction violation. The intent, of course, was to trick concerned recipients into opening the contents of the attached .egg file -- EGG is a .zip-like compressed archive file format used in South Korea -- before further action could be taken against them for this imaginary infraction.
The “bad egg” of an .egg file contained two shortcut .lnk files, both impersonating official documents, as well as an executable that disappears once the .egg file was decompressed. When one of the .lnk files is opened, the GandCrab malware executes, encrypting the victim's files.
Trend Micro researchers believe the threat actor group known as VenusLocker may be behind this attack because the .lnk files bear the inscription “VenusLocker_korean.exe”. However, previous attacks by the group have been known to use a different ransomware with the eponymous name of VenusLocker.