Malware Hidden In Software Packages Hits Developers

Threat actors connected to North Korea have been using poisoned Python packages to deliver a new malware, called PondRAT, as part of their attack strategy.

PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT, a known macOS backdoor that has been previously attributed to the Lazarus Group.

Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, so that prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.

The adversary is also tracked by the wider cyber security community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.

It's believed that the end goal of the attacks is to secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents.

The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.

The aim of the hackers includes financial gain via illicit salary withdrawals, maintaining long-term access to victim networks, and likely abusing the unauthorised access for espionage or disruptive activity.

Malware Capabilities & Objectives

PondRAT is described as a lighter version of POOLRAT, designed with enhanced capabilities for both Linux and macOS platforms. It includes functionality to upload and download files, execute arbitrary commands, and pause operations based on preconfigured time intervals.

The malware’s core components resemble those of POOLRAT, particularly in how it processes commands from its command-and-control (C2) server.

The Linux and macOS variants of POOLRAT share an almost identical structure in their configuration loading mechanisms, with method names and functionality being strikingly similar across both platforms.

This continuity across different operating systems suggests that Gleaming Pisces has been refining its toolkit to enhance its reach and effectiveness.

Supply Chain Compromise & Developer Targeting

The strategic targeting of software developers through poisoned Python packages is part of a broader goal to gain access to supply chain vendors.

By compromising developers’ endpoints, the attackers can infiltrate vendor networks and ultimately reach the customers of these vendors, similar to the infamous 3CX incident.

This attack method poses significant risks, as successful installation of malicious packages in development environments can lead to widespread compromise within an organisation’s network.

Once inside, the malware can provide attackers with remote access, enabling data theft, espionage, and further propagation through the network.

The Hacker News     |     Black Hat Ethical Hacking     |     Security Affairs     |     NK Pro   |   Hoplon Infosec   |  

Dark Reading


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Russian Faces 20 Year In Prison For DDoS Attack
New LinkedIn AI Data Policies Raise Concerns »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT is the national Computer Emergency Response Team for the Philippines.

Detack

Detack

Detack is an independent supplier of IT security auditing and consulting services.

OmniNet

OmniNet

OmniNet delivers the next generation of cybersecurity and is the only provider in the market to move the edge of small businesses to a virtual, omnipresent perimeter.

Synack

Synack

Synack provides a hacker-powered intelligence platform that uncovers security vulnerabilities that often remain undetected by traditional pen testers and scanners.

Calian Group

Calian Group

Calian is a diverse Canadian company offering professional services in areas including Advanced Technologies, Health, Learning and IT & Cyber Solutions.

Trapmine

Trapmine

TRAPMINE is an innovative cybersecurity products company mainly focusing on protecting organizations from Advanced Persistent Threat & Zero-Day attacks.

CyberStream

CyberStream

CyberStream, a division of the TechStream Group, is an information & cybersecurity talent acquisition solution provider.

GitGuardian

GitGuardian

Enable developers, ops, security and compliance professionals to enforce security policies across public and private code, and other data sources as well

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

Polymer Solutions

Polymer Solutions

Polymer is a Data Governance & Privacy Platform for third party SaaS apps. A modern Data Loss Protection (DLP) approach to remove sensitive data exposure on collaboration tools in real-time.

Centraleyes

Centraleyes

Centraleyes (formerly CyGov) is a cutting-edge integrated cyber risk management platform that gives organizations unparalleled understanding of their cyber risk and compliance.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.

Computer Futures

Computer Futures

Computer Futures are a global specialist IT recruitment partner, matching candidates with roles across niche IT markets and core technologies.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Instil Software

Instil Software

Instil helps technology brands transform, innovate and disrupt their markets with category-defining software products that challenge us to think, feel and act in new ways.