A recent cyber campaign linked to North Korean threat actors is using compromised Python packages to distribute a new malware strain known as PondRAT. This malware appears to be a streamlined version of POOLRAT (also called SIMPLESEA), a previously identified macOS backdoor attributed to the Lazarus Group, which was involved in the 3CX supply chain attacks last year.
These malicious activities are part of an ongoing operation named “Operation Dream Job,” where hackers entice software developers with attractive job offers, leading them to unknowingly download malware.
According to a new report, the attackers uploaded multiple tampered Python packages to PyPI, a well-known open-source repository for Python projects. The attack has been tentatively linked to a cyber threat actor referred to as Gleaming Pisces.
The group, also identified by other names such as Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, is a sub-division of the notorious Lazarus Group, known for distributing the AppleJeus malware. Their primary objective appears to be gaining access to software developers’ systems, which they then leverage to infiltrate supply chain vendors and, ultimately, their customers’ networks.
The compromised Python packages, now removed from PyPI, included:
– real-ids (893 downloads)
– coloredtxt (381 downloads)
– beautifultext (736 downloads)
– minisound (416 downloads)
Once these packages are installed, they execute a series of encoded commands that download and activate Linux and macOS versions of the RAT malware from a remote server. Analysis shows PondRAT shares significant similarities with both POOLRAT and AppleJeus, demonstrating near-identical code structures and functionalities across both operating systems. This suggests the threat actor has been enhancing their capabilities across platforms.
PondRAT includes functionalities such as file upload and download, pausing operations for set durations, and executing arbitrary commands. The development of additional Linux versions indicates that Gleaming Pisces is actively expanding its malware arsenal for cross-platform attacks.
The use of seemingly legitimate Python packages to spread malware poses a severe threat to organizations. Once installed, these third-party packages can lead to widespread network compromise and significant security breaches.
This disclosure follows another report where over a dozen companies were tricked into hiring North Korean threat actors or were targeted with fake resumes. The operation, referred to as Famous Chollima, represents a sophisticated nation-state strategy, posing a serious threat to any business relying on remote employees.
To safeguard against such threats, organizations should implement strict security protocols for code dependencies. This includes vetting all third-party packages, using automated tools to monitor for malicious updates, and educating employees on potential phishing tactics used to lure developers.