Malware Hidden In Software Packages Hits Developers

Uploaded on 2024-10-01 in FREE TO VIEW

Threat actors connected to North Korea have been using poisoned Python packages to deliver a new malware, called PondRAT, as part of their attack strategy.

PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT, a known macOS backdoor that has been previously attributed to the Lazarus Group.

Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, so that prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.

The adversary is also tracked by the wider cyber security community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.

It's believed that the end goal of the attacks is to secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents.

The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.

The aim of the hackers includes financial gain via illicit salary withdrawals, maintaining long-term access to victim networks, and likely abusing the unauthorised access for espionage or disruptive activity.

Malware Capabilities & Objectives

PondRAT is described as a lighter version of POOLRAT, designed with enhanced capabilities for both Linux and macOS platforms. It includes functionality to upload and download files, execute arbitrary commands, and pause operations based on preconfigured time intervals.

The malware’s core components resemble those of POOLRAT, particularly in how it processes commands from its command-and-control (C2) server.

The Linux and macOS variants of POOLRAT share an almost identical structure in their configuration loading mechanisms, with method names and functionality being strikingly similar across both platforms.

This continuity across different operating systems suggests that Gleaming Pisces has been refining its toolkit to enhance its reach and effectiveness.

Supply Chain Compromise & Developer Targeting

The strategic targeting of software developers through poisoned Python packages is part of a broader goal to gain access to supply chain vendors.

By compromising developers’ endpoints, the attackers can infiltrate vendor networks and ultimately reach the customers of these vendors, similar to the infamous 3CX incident.

This attack method poses significant risks, as successful installation of malicious packages in development environments can lead to widespread compromise within an organisation’s network.

Once inside, the malware can provide attackers with remote access, enabling data theft, espionage, and further propagation through the network.

The Hacker News     |     Black Hat Ethical Hacking     |     Security Affairs     |     NK Pro   |   Hoplon Infosec   |  

Dark Reading

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Russian Faces 20 Year In Prison For DDoS Attack
New LinkedIn AI Data Policies Raise Concerns »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

UZCERT

UZCERT

UZCERT is the national Computer Emergency Response Team for Uzbekistan.

Compumatica

Compumatica

Compumatica is a leading European ICT security manufacturer for cybersecurity and encryption products. Solutions include network security, SCADA/ICS security, Mobile/BYOD and email encryption.

SysTools

SysTools

SysTools provides a range of services including data recovery, digital forensics, and cloud backup solutions.

Information & eGovernment Authority (iGA) - Bahrain

Information & eGovernment Authority (iGA) - Bahrain

The Information & eGovernment Authority facilitates many services catering to different parts of the community within the IT sector in Bahrain including information security.

Risk Ident

Risk Ident

RISK IDENT specializes in supporting enterprises in identifying and preventing criminal activity like payment fraud, account takeovers and identity theft.

Open Cloud Factory

Open Cloud Factory

Open Cloud Factory is a European based security company, that strives to ease the pressure on IT managers, by providing tools to implement your Security Strategy in an effective and easy manner.

Webtotem

Webtotem

Webtotem's mission is to prevent the global epidemic of website infection and provide every website owner with basic security rights.

BIO-key

BIO-key

BIO-key is a pioneer and innovator, we are recognized as a leading developer of fingerprint biometric authentication and security solutions.

FirstWave Cloud Technology

FirstWave Cloud Technology

FirstWave Cloud Technology is a global cyber security company which has been delivering Cybersecurity-as-a-service solutions to the market since 2004.

Noname Security

Noname Security

Noname Security detects and resolves API vulnerabilities and misconfigurations before they are exploited.

Trellix

Trellix

Trellix is an extended detection and response (XDR) solutions provider created from a merger of McAfee Enterprise and FireEye Products.

Riskonnect

Riskonnect

Riskonnect technology empowers organizations with the ability to anticipate, manage, and respond in real-time to strategic, operational, and digital risks across the extended enterprise.

Moore ClearComm

Moore ClearComm

Moore ClearComm is part of Moore Kingston Smith a leading UK firm of accountants and business advisers. Our services include Data Privacy, Cyber Security, Business Continuity and Information Security.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.

Bestman Solutions

Bestman Solutions

As a specialist cyber security practice, we believe that people are an organisation’s most valuable asset. Success depends on hiring the right people, and this is where we come in.

Blue Goat Cyber

Blue Goat Cyber

Blue Goat stands at the forefront of cybersecurity, particularly in medical device security and penetration testing.