Pulse Detail — Threat Intelligence

PULSE NAME

Operation Red Signature: Supply Chain attack targeting Korean companies

WHITE Lazarus Group AlienVault 2018-08-21 Modified: 2018-08-21

IOCs

MEDIUM VOLUME

Together with Korea's IssueMakersLab, Trend Micro found a Supply Chain Attack aimed at information capture by Korean companies and named it Operation Red Signature. Trend Micro discovered the attack at the end of July, and this was reported in Korea on August 6 .

dprk

Indicators of Compromise (22)

All FileHash-SHA256 URL FileHash-MD5 FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	0703a917aaa0630ae1860fb5fb1f64f3cfb4ea8c57eac71c2b0a407b738c4e19	—	2018-08-21
FileHash-SHA256	279cf1773903b7a5de63897d55268aa967a87f915a07924c574e42c9ed12de30	—	2018-08-21
FileHash-SHA256	28c5a6aefcc57e2862ea16f5f2ecb1e7df84b68e98e5814533262595b237917d	—	2018-08-21
FileHash-SHA256	52374f68d1e43f1ca6cd04e5816999ba45c4e42eb0641874be25808c9fe15005	—	2018-08-21
FileHash-SHA256	9415ca80c51b2409a88e26a9eb3464db636c2e27f9c61e247d15254e6fbb31eb	—	2018-08-21
FileHash-SHA256	a3a1b1cf29a8f38d05b4292524c3496cb28f78d995dfb0a9aef7b2f949ac278b	—	2018-08-21
FileHash-SHA256	bcfacc1ad5686aee3a9d8940e46d32af62f8e1cd1631653795778736b67b6d6e	—	2018-08-21
FileHash-SHA256	c14ea9b81f782ba36ae3ea450c2850642983814a0f4dc0ea4888038466839c1e	—	2018-08-21
FileHash-SHA256	dcc159679435ae3ecee28f11bd36e76da736b01dfe9bf475ee0c88c2ffef388b	—	2018-08-21
FileHash-SHA256	e5029808f78ec4a079e889e5823ee298edab34013e50a47c279b6dc4d57b1ffc	—	2018-08-21
FileHash-SHA256	e530e16d5756cdc2862b4c9411ac3bb3b113bc87344139b4bfa2c35cd816e518	—	2018-08-21
FileHash-SHA256	e89d4f59f7f06b95f1192612560868d4bfd002f89b3ca3962bd2f2e289d14c64	—	2018-08-21
URL	http://207.148.94.157/Web.ex_	—	2018-08-21
URL	http://207.148.94.157/aio.exe	—	2018-08-21
URL	http://207.148.94.157/m.ex_	—	2018-08-21
URL	http://207.148.94.157/smb.exe	—	2018-08-21
URL	http://207.148.94.157/update/rcv50/file000.zip	—	2018-08-21
URL	http://207.148.94.157/update/rcv50/file001.zip	—	2018-08-21
URL	http://207.148.94.157/update/rcv50/update.zip	—	2018-08-21
URL	http://207.148.94.157/w	—	2018-08-21
FileHash-MD5	2895043b9d230cae6ee47c7f223a9f46	—	2018-08-21
FileHash-SHA1	4eb54d2430ff9bd765eef587987142b59ddd0a94	—	2018-08-21

References (1)

↗ http://www.trendmicro.co.kr/kr/blog/Supply-Chain-Attack-Operation-Red-Signature-Targets-South-Korean-Organizations/index.html