Malware Hidden In Software Packages Hits Developers

Threat actors connected to North Korea have been using poisoned Python packages to deliver a new malware, called PondRAT, as part of their attack strategy.

PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT, a known macOS backdoor that has been previously attributed to the Lazarus Group.

Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, so that prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.

The adversary is also tracked by the wider cyber security community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.

It's believed that the end goal of the attacks is to secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents.

The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.

The aim of the hackers includes financial gain via illicit salary withdrawals, maintaining long-term access to victim networks, and likely abusing the unauthorised access for espionage or disruptive activity.

Malware Capabilities & Objectives

PondRAT is described as a lighter version of POOLRAT, designed with enhanced capabilities for both Linux and macOS platforms. It includes functionality to upload and download files, execute arbitrary commands, and pause operations based on preconfigured time intervals.

The malware’s core components resemble those of POOLRAT, particularly in how it processes commands from its command-and-control (C2) server.

The Linux and macOS variants of POOLRAT share an almost identical structure in their configuration loading mechanisms, with method names and functionality being strikingly similar across both platforms.

This continuity across different operating systems suggests that Gleaming Pisces has been refining its toolkit to enhance its reach and effectiveness.

Supply Chain Compromise & Developer Targeting

The strategic targeting of software developers through poisoned Python packages is part of a broader goal to gain access to supply chain vendors.

By compromising developers’ endpoints, the attackers can infiltrate vendor networks and ultimately reach the customers of these vendors, similar to the infamous 3CX incident.

This attack method poses significant risks, as successful installation of malicious packages in development environments can lead to widespread compromise within an organisation’s network.

Once inside, the malware can provide attackers with remote access, enabling data theft, espionage, and further propagation through the network.

The Hacker News     |     Black Hat Ethical Hacking     |     Security Affairs     |     NK Pro   |   Hoplon Infosec   |  

Dark Reading


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Russian Faces 20 Year In Prison For DDoS Attack
New LinkedIn AI Data Policies Raise Concerns »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

K7 Computing

K7 Computing

K7 provides antivirus and internet security products for business and home users.

CERT-PY

CERT-PY

CERT-PY is the national Computer Emergency Response Team for Paraguay.

Proteus

Proteus

Proteus is an Information Security consulting firm specialized in Risk Analysis and Executive Control.

Cygilant

Cygilant

Cygilant is a SOC2 certified service provider that combines MSSP and Incident Detection and Response (IDR) capabilities managed by global SOCs staffed with trained security engineers.

Tech Mahindra

Tech Mahindra

Tech Mahindra is a global leader in IT solutions, BPO, business consulting services & digital technologies.

Nakivo

Nakivo

NAKIVO is dedicated to delivering the ultimate backup, ransomware protection and disaster recovery solution for virtual, physical, cloud and SaaS environments.

White Bullet

White Bullet

White Bullet’s risk profiling AI detects, dynamically scores and flags unsafe domains, apps and advertising.

About Cyber Security.

About Cyber Security.

About Cybersecurity provides a galaxy-wide knowledge base of cybersecurity tactics and techniques derived from actual experience.

Evalian

Evalian

Evalian is a data protection services provider. Working with organisations of all sizes, we specialise in Data Protection, GDPR, ISO Certification & Information Security.

Syracom

Syracom

syracom is a consultancy firm specialized in development of efficient business processes. With our expertise and IT competence, we develop tailored solutions for customers in various industries.

Route1

Route1

Route1 is an advanced provider of secure data intelligence solutions to drive your business forward.

Apono

Apono

Apono enables DevOps and security teams to manage access to sensitive cloud assets and data repositories in a frictionless and compliant way.

Campus cyber

Campus cyber

A project initiated by the President of the Republic, the Cyber Campus is the totem site of cybersecurity that brings together the main national and international players in the field.

Sentar

Sentar

Sentar is a cyber intelligence company, applying advanced analytics and systems engineering expertise to protect our national security by securing mission-critical assets.

CyberAI Group

CyberAI Group

CyberAI's mission is to pioneer the evolution of the cybersecurity landscape globally, by strategically acquiring and elevating IT consulting firms into leaders of cybersecurity innovation.

Gibbs Consulting

Gibbs Consulting

Gibbs Consulting provides innovative, flexible, on-demand IT Services and IT Consulting that delivers value and successful outcomes for our clients.