PondRAT Malware Targets Linux and macOS Python Developers in New Attack

PondRAT Malware Targets Linux and macOS Python Developers in New Attack

Threat Group: Gleaming Pisces (also known as Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Supply chain attacks through Python Package Index (PyPI)
Malware Used: PondRAT (variant of POOLRAT)
Threat Score: High (8.3/10)
Last Threat Observation: September 22, 2024


Overview

PondRAT, a Remote Access Trojan (RAT) associated with the North Korean APT group Gleaming Pisces, has been deployed through malicious Python packages available on PyPI. These packages specifically target developers using Linux and macOS systems, making them vulnerable to supply chain compromises. Once installed, PondRAT allows attackers to upload/download files and execute arbitrary commands remotely, posing a significant threat to software development environments and their associated networks.

Key Details

  • Delivery Method: Poisoned Python packages (real-ids, coloredtxt, beautifultext, minisound) on PyPI.
  • Target: Linux and macOS developers, with potential infiltration into vendor and customer networks.
  • Functions:
    • File upload/download
    • Arbitrary command execution
    • Pausing operations for predefined time intervals
  • Obfuscation: Multi-stage encoded payloads complicate detection and analysis.

Attack Vectors

PondRAT spreads via malicious Python packages. Once a developer installs these packages, the malware downloads a second-stage payload from a command-and-control server, enabling attackers to take remote control of the system. This can lead to widespread compromises in the software supply chain, affecting not only developers but also the vendors and customers linked to compromised networks.

Indicators of Compromise (IoCs)

  • Domain Names (defanged):
    • jdkgradle[.]com
    • rebelthumb[.]net
  • URLs (defanged):
    • hxxp://www[.]talesseries[.]com/write[.]php
    • hxxp://rgedist[.]com/sfxl[.]php
  • MD5 Hashes:
    • 33c9a47debdb07824c6c51e13740bdfe
    • b62c912de846e743effdf7e5654a7605
    • f50c83a4147b86cdb20cc1fbae458865
    • 61d7b2c7814971e5323ec67b3a3d7f45
    • 05957d98a75c04597649295dc846682d
    • ce35c935dcc9d55b2c79945bac77dc8e
    • 6f2f61783a4a59449db4ba37211fa331
    • 4c66950d791ff5d39d53ffcd0b52a64d
  • SHA-256 Hashes:
    • 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
    • 0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7
    • 3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e
    • bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80
    • bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b
    • cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86
    • f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703
    • 5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456
  • SHA-1 Hashes:
    • 7b6e6487b803bbe85d7466b89da51a269fa4fc29
    • 8027c1d1ac0fd7d40ee850119c6d4501fbe75eab
    • 8a030a03570134cee4659b1b1f666f6f48c27fa5
    • 7637ee2925c88110fc15a77c120bf70dc66e84a7
    • 676537b0f7707feae0130bbcbdc881f5b4eb3f03
    • 720e6abf3befb585164450325246fe9cb000268f
    • 6f391d282a37b770abcedd08c4c0e2156076cd8e
    • dd5bb0609b92163d8834a37a517885ce0b512938

Mitigation and Prevention

  1. Strict Package Vetting: Ensure rigorous screening for third-party software packages.
  2. Private Repositories: Use private repositories for vetted packages in development environments.
  3. Endpoint Monitoring: Deploy EDR tools to detect unusual Python package installations and suspicious network activity.
  4. Network Segmentation: Keep development environments isolated from production to limit potential damage in case of compromise.

Conclusion

PondRAT presents a significant risk to the software supply chain. By targeting developer environments, Gleaming Pisces can potentially compromise entire networks, including those of supply chain vendors and customers. Strict vetting of open-source software and maintaining best security practices will reduce the risk of such attacks.


Podcast Discussion

 

audio-thumbnail
PondRAT Malware Targets Linux and macOS Python Developers in New Attack
0:00
/703.76

Sources:

  1. Unit42, Palo Alto Networks: Gleaming Pisces and PondRAT
  2. The Hacker News: North Korean APT Targets Developers with PondRAT
  3. Security Affairs: PondRAT via Poisoned Python Packages
  4. Rewterz: Software Developers Targeted by PondRAT Malware
  5. OWASP (Mentioned in Podcast): Explore Web Application Cyber Security with OWASP