Malware Hidden In Software Packages Hits Developers

Threat actors connected to North Korea have been using poisoned Python packages to deliver a new malware, called PondRAT, as part of their attack strategy.

PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT, a known macOS backdoor that has been previously attributed to the Lazarus Group.

Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, so that prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.

The adversary is also tracked by the wider cyber security community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.

It's believed that the end goal of the attacks is to secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents.

The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.

The aim of the hackers includes financial gain via illicit salary withdrawals, maintaining long-term access to victim networks, and likely abusing the unauthorised access for espionage or disruptive activity.

Malware Capabilities & Objectives

PondRAT is described as a lighter version of POOLRAT, designed with enhanced capabilities for both Linux and macOS platforms. It includes functionality to upload and download files, execute arbitrary commands, and pause operations based on preconfigured time intervals.

The malware’s core components resemble those of POOLRAT, particularly in how it processes commands from its command-and-control (C2) server.

The Linux and macOS variants of POOLRAT share an almost identical structure in their configuration loading mechanisms, with method names and functionality being strikingly similar across both platforms.

This continuity across different operating systems suggests that Gleaming Pisces has been refining its toolkit to enhance its reach and effectiveness.

Supply Chain Compromise & Developer Targeting

The strategic targeting of software developers through poisoned Python packages is part of a broader goal to gain access to supply chain vendors.

By compromising developers’ endpoints, the attackers can infiltrate vendor networks and ultimately reach the customers of these vendors, similar to the infamous 3CX incident.

This attack method poses significant risks, as successful installation of malicious packages in development environments can lead to widespread compromise within an organisation’s network.

Once inside, the malware can provide attackers with remote access, enabling data theft, espionage, and further propagation through the network.

The Hacker News     |     Black Hat Ethical Hacking     |     Security Affairs     |     NK Pro   |   Hoplon Infosec   |  

Dark Reading


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Russian Faces 20 Year In Prison For DDoS Attack
New LinkedIn AI Data Policies Raise Concerns »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NCX Group

NCX Group

NCX Group is committed to helping customers identify and mitigate the risks inherent in today’s interconnected environments and business processes.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

Brinqa

Brinqa

Brinqa is a leading provider of unified risk management and security analytics.to manage IT governance and technology risk.

Center for Identity - University of Texas at Austin

Center for Identity - University of Texas at Austin

The mission of the Center is to deliver the highest-quality discoveries, applications, education, and outreach for excellence in identity management, privacy, and security.

SySS

SySS

SySS is a market leader in penetration testing in Germany and Europe.

Taqnia Cyber

Taqnia Cyber

Taqnia Cyber specializes in the fields of cyber security, intelligence, operations, and training. It offers its services and consultations to both public and private sectors.

Findings

Findings

Findings (formerly IDRRA) is a scalable AI powered assessment platform that streamlines security compliance across sectors, jurisdictions and regulatory frameworks.

Haventec

Haventec

Haventec’s internationally patented technologies reduce cyber risk and enable pervasive trust services with a decentralised approach to authentication.

SensorHound

SensorHound

SensorHound’s mission is to improve the security and reliability of the Internet of Things (IoT).

Curtail

Curtail

Curtail keeps businesses running by using live traffic analysis to identify defects before software goes live, and detect and isolate security threats before they impact systems.

Newberry Group

Newberry Group

The Newberry Group provides comprehensive IT services and solutions that optimize operations, minimize risk and deliver measurable business value.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Cirosec

Cirosec

Cirosec is a specialized company with a focus on information security. We carry out pentests & audits and advise our customers in the German-speaking countries on information and IT security issues.

SolCyber

SolCyber

SolCyber, a Forgepoint company, is the first modern MSSP to deliver a curated stack of enterprise strength security tools and services that are accessible and affordable for any organization.

Metabase Q

Metabase Q

Metabase Q protects you from financial and reputational losses with more efficient and intelligent cybersecurity, using the best worldwide in technologies, processes and specialists.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.