9002 RAT

Posted: May 9, 2019

9002 RAT Description

The 9002 RAT is a Remote Access Trojan that is best known for being used in a supply chain attack that targeted major companies in South Korea. The operation involving this RAT has been named ‘Operation Red Signature,’ and it was carried out with the help of a compromised update server linked to one of the software suites that these companies use. If an employee attempted to apply the update, they would be served a corrupted file from what they consider to be a trustworthy source, therefore making it difficult to spot the attack without the use of sophisticated security software incredibly.

Another interesting thing about Operation Red Signature is that the attackers did not provide the unsafe update to all users of the product – instead, they checked the IP addresses of visitors, and only sent the modified update package to the IP ranges that matched their target group. By limiting the reach of their operation, the cybercriminals may have made it more difficult to spot their harmful actions. Another security measure that the 9002 RAT’s authors have taken to cover their tracks is that their program was set to work for just a few weeks – the first infections occurred on July 18, and the 9002 RAT was configured to terminate itself on July 31.

The 9002 RAT was not the only tool used by the attackers to exfiltrate data from the infected computers – they used the RAT’s features to drop additional hacking tools on the compromised computer. Some of the more popular tools that the 9002 RAT delivered are:

  • DsGet, DsQuery, and SharpHound – used to list active directory objects and retrieve information about them.
  • A modified version of Mimikatz that may be used to collect Windows credentials.
  • A modified version of the PlugX RAT.
  • A tool used to extract passwords from SQL databases.
  • A browser info stealer.

Supply chain attacks are difficult to execute so that many cybercriminals tend to stay away from them. However, if an attack of this sort ends up being successful, its operators may get access to a lot of data before they finally get caught in their tracks. The Operation Red Signature is yet another reminder of why enterprise security solution should never be overlooked when software vendors can also end up being an involuntary participant in a cyber-attack especially.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to 9002 RAT may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.