9002 RAT
The 9002 RAT is a Remote Access Trojan that is best known for being used in a supply chain attack that targeted major companies in South Korea. The operation involving this RAT has been named ‘Operation Red Signature,’ and it was carried out with the help of a compromised update server linked to one of the software suites that these companies use. If an employee attempted to apply the update, they would be served a corrupted file from what they consider to be a trustworthy source, therefore making it difficult to spot the attack without the use of sophisticated security software incredibly.
Another interesting thing about Operation Red Signature is that the attackers did not provide the unsafe update to all users of the product – instead, they checked the IP addresses of visitors, and only sent the modified update package to the IP ranges that matched their target group. By limiting the reach of their operation, the cybercriminals may have made it more difficult to spot their harmful actions. Another security measure that the 9002 RAT’s authors have taken to cover their tracks is that their program was set to work for just a few weeks – the first infections occurred on July 18, and the 9002 RAT was configured to terminate itself on July 31.
The 9002 RAT was not the only tool used by the attackers to exfiltrate data from the infected computers – they used the RAT’s features to drop additional hacking tools on the compromised computer. Some of the more popular tools that the 9002 RAT delivered are:
- DsGet, DsQuery, and SharpHound – used to list active directory objects and retrieve information about them.
- A modified version of Mimikatz that may be used to collect Windows credentials.
- A modified version of the PlugX RAT.
- A tool used to extract passwords from SQL databases.
- A browser info stealer.
Supply chain attacks are difficult to execute so that many cybercriminals tend to stay away from them. However, if an attack of this sort ends up being successful, its operators may get access to a lot of data before they finally get caught in their tracks. The Operation Red Signature is yet another reminder of why enterprise security solution should never be overlooked when software vendors can also end up being an involuntary participant in a cyber-attack especially.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.