As part of an ongoing campaign, North Korean-affiliated threat actors have been seen deploying poisoned Python packages to spread a new piece of malware known as PondRAT.
New research from Palo Alto Networks Unit 42 indicates that PondRAT is thought to be a more subdued form of POOLRAT, also known as SIMPLESEA. POOLRAT is a well-known macOS backdoor that was used in attacks linked to the 3CX supply chain hack last year and has previously been linked to the Lazarus Group.
Some of these assaults are a part of an ongoing cyberattack effort known as Operation Dream Employment, in which potential victims are tricked into downloading malware by luring them in with attractive employment offers.
“The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages,” Yoav Zemah, a researcher at Unit 42, said he had a moderate degree of confidence in connecting the behavior to a threat actor known as Gleaming Pisces.
Under the aliases Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736—a sub-cluster of the Lazarus Group that is also suspected of spreading the AppleJeus malware—the adversary is also being monitored by the broader cybersecurity community.
It’s believed that the end goal of the attacks is to “secure access to supply chain vendors through developers’ endpoints and subsequently gain access to the vendors’ customers’ endpoints, as observed in previous incidents.”
Below is a list of harmful packages that have been deleted from the PyPI repository:
- real-ids(893 downloads)
- coloredtxt(381 downloads)
- beautifultext(736 downloads)
- minisound(416 downloads)
The packages are designed to run an encoded next-stage once they are downloaded and installed on developer PCs. This encoded stage then launches the Linux and macOS versions of the RAT malware, which are retrieved from a remote server. This makes the infection chain pretty straightforward.
Additional investigation of PondRAT has shown that it has characteristics with AppleJeus and POOLRAT and that the attacks also disseminate new POOLRAT Linux variants.
“The Linux and macOS versions [of POOLRAT] use an identical function structure for loading their configurations, featuring similar method names and functionality,” Zemah said.
“Additionally, the method names in both variants are strikingly similar, and the strings are almost identical. Lastly, the mechanism that handles commands from the [command-and-control server] is nearly identical.”
A more stripped-down variant of POOLRAT called PondRAT can upload and download data, suspend activities for a specified amount of time, and run arbitrary commands.
“The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms,” Unit 42 said.
“The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network.”
The revelation coincides with KnowBe4’s claim that over a dozen organizations were tricked into recruiting a threat actor from North Korea as an employee, either hired North Korean employees or had been besieged by a multitude of fake resumes and applications submitted by North Koreans hoping to get a job with their organization.”
It described the activity, tracked by CrowdStrike under the moniker Famous Chollima, as a “complex, industrial, scaled nation-state operation” and that it poses a “serious risk for any company with remote-only employees.”
Also read: Automation in Oil and Gas: Horizons and Expectations for the Next 5 Years
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.