Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.
PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in attacks related to the 3CX supply chain compromise last year.
Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.
“The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages,” Unit 42 researcher Yoav Zemah said, linking the activity with moderate confidence to a threat actor called Gleaming Pisces.
The adversary is also tracked by the wider cybersecurity community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that’s also known for distributing the AppleJeus malware.
It’s believed that the end goal of the attacks is to “secure access to supply chain vendors through developers’ endpoints and subsequently gain access to the vendors’ customers’ endpoints, as observed in previous incidents.”
The list of malicious packages, now removed from the PyPI repository, is below –
real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)
The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.
Further analysis of PondRAT has revealed similarities with both POOLRAT and AppleJeus, with the attacks also distributing new Linux variants of POOLRAT.
“The Linux and macOS versions [of POOLRAT] use an identical function structure for loading their configurations, featuring similar method names and functionality,” Zemah said.
“Additionally, the method names in both variants are strikingly similar, and the strings are almost identical. Lastly, the mechanism that handles commands from the [command-and-control server] is nearly identical.”
PondRAT, a leaner version of POOLRAT, comes with capabilities to upload and download files, pause operations for a predefined time interval, and execute arbitrary commands.
“The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms,” Unit 42 said.
“The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network.”
The disclosure comes as KnowBe4, which was duped into hiring a North Korean threat actor as an employee, said more than a dozen companies “either hired North Korean employees or had been besieged by a multitude of fake resumes and applications submitted by North Koreans hoping to get a job with their organization.”
It described the activity, tracked by CrowdStrike under the moniker Famous Chollima, as a “complex, industrial, scaled nation-state operation” and that it poses a “serious risk for any company with remote-only employees.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.