Hackers associated with North Korea have been seen utilizing tainted Python bundles to distribute a fresh malware known as PondRAT in an ongoing scheme.
PondRAT, as per recent discoveries by Palo Alto Networks Unit 42, is categorized as a simplified version of POOLRAT (also called SIMPLESEA), a recognized macOS undercover agent historically linked to the Lazarus Group and deployed in assaults related to the 3CX supply chain breach last year.
A portion of these assaults are part of a persistent cyber warfare initiative dubbed Operation Dream Job, in which potential targets are enticed with appealing job opportunities in order to deceive them into downloading malicious software.
“The perpetrators behind this campaign uploaded numerous tainted Python packages to PyPI, a popular repository of open-source Python bundles,” Unit 42 researcher Yoav Zemah stated, linking the activity to a threat actor named Gleaming Pisces with reasonable confidence.
The assailant is likewise identified by the broader cyber security community under the aliases Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-group within the Lazarus Group also recognized for disseminating the AppleJeus malware.
It is suspected that the main objective of the attacks is to “obtain entry to supply chain vendors through developers’ endpoints and subsequently breach the vendors’ customers’ endpoints, as previously observed in similar incidents.”
The list of harmful packages, now eradicated from the PyPI repository, is provided below –
The infection process is relatively straightforward in which the packages, upon being downloaded and installed on developer systems, are engineered to trigger an encoded subsequent stage that, in turn, initiates the Linux and macOS versions of the RAT malware after fetching them from a remote server.
A more in-depth review of PondRAT has disclosed resemblances with both POOLRAT and AppleJeus, with the assaults also introducing new Linux versions of POOLRAT.
“The Linux and macOS versions [of POOLRAT] adopt an identical function structure for loading their configurations, showcasing similar method names and functionalities,” Zemah remarked.
“In addition, the method names in both versions are remarkably akin, and the strings are practically the same. Finally, the mechanism managing commands from the [command-and-control server] is nearly indistinguishable.”
PondRAT, a streamlined variation of POOLRAT, is equipped with abilities to upload and download files, pause operations for a set time span, and implement arbitrary commands.
“The evidence of additional Linux versions of POOLRAT demonstrates that Gleaming Pisces has been enhancing its capabilities on both Linux and macOS platforms,” Unit 42 stated.
“The exploitation of authentic-looking Python bundles across various operating systems poses a substantial threat to organizations. Successful installation of malicious third-party bundles can result in malware infiltration compromising an entire network.”
The disclosure coincides with KnowBe4, which unwittingly employed a North Korean threat actor, revealing that more than a dozen companies “either recruited North Korean employees or were inundated with numerous counterfeit resumes and applications submitted by North Koreans aiming to secure a job with their company.”
It delineated the activity, monitored by CrowdStrike under the designation Famous Chollima, as a “sophisticated, industrial, wide-ranging nation-state campaign” posing a “considerable threat for any business with exclusively remote staff.”
About Author
