Software Developers Targeted by Malware Hidden in Python Packages
Experts warn that Python developers working on Mac devices have again been targeted by North Korean hackers.
A report from cybersecurity researchers Unit 42 claims that the attacks are, at least to some extent, part of the so-called Operation Dream Job, run by the Lazarus Group, a notorious hacking collective on the payroll of North Korea. It involves creating fake job advertisements and luring software developers into applying for jobs. During the application process, the attackers would trick the developers into downloading and executing malicious packages, giving the attackers access to key resources.
In this case, the criminals were caught uploading Python packages to PyPI, one of the most popular Python package repositories in the world.
PondRAT
So far, researchers have identified four packages, which have subsequently been reported and removed from the platform:
real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
mini sound (416 downloads)
These packages are said to contain a piece of malware called PondRAT. This remote access trojan is a stripped-down version of POOLRAT (also known as SIMPLESEA), a known macOS backdoor that Lazarus has deployed in the past.
PondRAT can’t do everything POOLRAT can, but it can still upload and download files, execute arbitrary commands, and even stop working altogether for a while.
“Evidence from additional Linux variants of POOLRAT showed that Gleaming Pisces has improved its capabilities on both Linux and macOS platforms,” Unit 42 said. Gleaming Pisces is a subset of Lazarus, according to Unit 42.
“The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in a malware infection that compromises an entire network.”
Lazarus spent months creating fake job ads in an attempt to compromise developers working at high-profile organizations and was also seen trying to get hired at these companies.
Via The Hacker News