 |
Threat actors with links to North Korea have been spotted utilizing poisoned Python packages as a mechanism to transmit a new virus named PondRAT as part of an ongoing campaign.
PondRAT, according to fresh discoveries from Palo Alto Networks Unit 42, is judged to be a lighter variant of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously ascribed to the Lazarus Group and used in assaults connected to the 3CX supply chain hack last year.
Some of these assaults are part of an ongoing cyber attack operation named Operation Dream employment, whereby potential targets are enticed with alluring employment offers in an effort to deceive them into downloading malware.
"The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages," Unit 42 researcher Yoav Zemah noted, tying the activity with moderate confidence to a threat actor dubbed Gleaming Pisces.
The adversary is also followed by the larger cybersecurity community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster inside the Lazarus Group that's also known for disseminating the AppleJeus virus.
It's suspected that the eventual purpose of the assaults is to "secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents."
The list of malicious packages, now deleted from the PyPI repository, is below -
real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)
The infection chain is very straightforward in that the packages, once downloaded and installed on developer PCs, are designed to execute an encoded next-stage that, in turn, executes the Linux and macOS versions of the RAT malware after downloading them from a remote server.
 |
Further study of PondRAT has identified similarities with both POOLRAT and AppleJeus, with the assaults also delivering new Linux versions of POOLRAT.
"The Linux and macOS versions [of POOLRAT] use an identical function structure for loading their configurations, featuring similar method names and functionality," Zemah stated.
"Additionally, the method names in both instances are extremely similar, and the strings are practically identical. Lastly, the system that processes instructions from the [command-and-control server] is almost similar."
PondRAT, a leaner version of POOLRAT, offers the features to upload and download data, halt activities for a preset time period, and execute arbitrary instructions.
"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 claimed.
"The weaponization of legitimate-looking Python packages across many operating systems presents a serious danger to enterprises. Successful installation of harmful third-party packages may result in malware infection that compromises a whole network."
The disclosure comes as KnowBe4, which was duped into hiring a North Korean threat actor as an employee, said more than a dozen companies "either hired North Korean employees or had been besieged by a multitude of fake resumes and applications submitted by North Koreans hoping to get a job with their organization."
It defined the activity, monitored by CrowdStrike under the alias Famous Chollima, as a "complex, industrial, scaled nation-state operation" and that it presents a "serious risk for any company with remote-only employees."