9002 RAT Description
In 2018 a hacking operation called 'Operation Red Signature' was executed against several large corporations located in South Korea. There was a certain hacking tool used in this operation that made it all possible – the 9002 RAT (Remote Access Trojan). Operation Red Signature was a supply chain attack, which means that instead of targeting the users directly, the hackers had infiltrated a piece of software used by the victims and used it to spread their threat via the update of the software. By doing this, the attackers make it much more difficult for the victims to spot that something was wrong because they believe that an update provided by the software they use has to be safe and trustworthy.
It is important to note that instead of delivering their fake update to all the users available, the attackers chose to apply a spear phishing method of spreading the 9002 RAT. This means that they chose specific targets by sorting through the IP addresses and only infected these specific users. Again, this was done to keep the 9002 RAT on the down-low as much as possible. If a large number of people got infected, then there would be much more of a chance that someone ends up spotting the 9002 RAT and the attack gets halted. However, the authors of the 9002 RAT have gone even further to keep the 9002 RAT under the radar – they set up a timer. The 9002 RAT was meant to only operate between July 18 and July 31 when all its actions would be terminated.
The attackers used the 9002 RAT to deliver a whole myriad of other hacking tools on the infiltrated computers. Among them were the DsQuery, DsGet, and SharpHound tools, which are used to explore and collect information regarding active directory objects. Also, an altered version of the Mimikatz – software was used to collect Windows credentials. Other tools that were dropped on the infected systems were a browser info stealer, a variant of the PlugX RAT, and a hacking tool able to crawl SQL databases and extract passwords from them.
Companies offering software need to be very careful when it comes to security because, like in the case of Operation Red Signature, they can end up taking part in an attack launched against their own loyal customers and this is absolutely unacceptable.