PondRAT Malware Hidden in Python Packages
Threat actors associated with North Korea have been observed using compromised Python packages to distribute a new malware variant known as PondRAT. This development appears to be a continuation of an existing campaign involving cyber attacks, specifically targeting software developers.
Understanding PondRAT and Its Origins
PondRAT is believed to be a lighter version of a previously identified malware called POOLRAT (also known as SIMPLESEA), a backdoor used in attacks against macOS systems. This malware is connected to the Lazarus Group, a well-known cybercriminal organization linked to the North Korean government. The Lazarus Group was previously involved in the 3CX supply chain attack last year.
Operation Dream Job Campaign
Some instances of PondRAT have been tied to a broader cyber attack campaign dubbed Operation Dream Job. This campaign involves luring potential targets under the guise of attractive job offers, consequently tricking them into downloading malicious software.
Infiltration via Python Packages
According to cybersecurity researcher Yoav Zemah from Unit 42, attackers uploaded several tainted Python packages to PyPI, a popular repository for open-source Python software. This action is linked with moderate confidence to a threat actor identified as Gleaming Pisces. This entity is also known in the cybersecurity community as Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736 – all sub-groups under the Lazarus Group known for distributing additional malware such as AppleJeus.
Malicious Packages and Infection Chain
The malicious packages, which have since been removed from PyPI, included:
- real-ids (893 downloads)
- coloredtxt (381 downloads)
- beautifultext (736 downloads)
- minisound (416 downloads)
Once these packages are downloaded and installed on a developer's system, they trigger a sequence that downloads the Linux and macOS versions of the RAT (Remote Access Trojan) malware from a remote server. This simple infection chain capitalizes on the user's trust in the PyPI repository.
Capabilities and Risks
Further analysis shows that PondRAT shares similarities with both POOLRAT and AppleJeus, suggesting that Gleaming Pisces is broadening its capabilities across Linux and macOS platforms. The malware's successful deployment can lead to a widespread network compromise.
Broader Implications for Businesses
The KnowBe4 security firm disclosed that they were deceived into hiring a North Korean threat actor. More than a dozen other companies reportedly hired North Korean individuals or were flooded with fraudulent resumes. This activity is characterized as a "complex, industrial, scaled nation-state operation" and highlights the risks for companies with remote-only employees.
In conclusion, businesses and developers are advised to remain vigilant against potential software supply chain threats and to scrutinize job applicants more closely to mitigate these emerging cybersecurity risks.
