Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Sept. 19, 2024, 8:01 a.m.

Description

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining access to supply chain vendors and their customers. The malware, named PondRAT, shares similarities with POOLRAT, a known tool in Gleaming Pisces' arsenal. The infection chain involves several stages of encoded code execution, ultimately downloading and running the RAT. Similarities in code structure, function names, and encryption keys between PondRAT and previously attributed malware strengthen the connection to Gleaming Pisces. The research also revealed Linux variants of POOLRAT, expanding the group's cross-platform capabilities.

Date

Published: Sept. 19, 2024, 7:33 a.m.

Created: Sept. 19, 2024, 7:33 a.m.

Modified: Sept. 19, 2024, 8:01 a.m.

Indicators

f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703

cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86

bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b

bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80

91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd

5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8

5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456

3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e

0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7

973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c

www.talesseries.com

http://www.talesseries.com/write.php

http://rgedist.com/sfxl.php

rgedist.com

rebelthumb.net

jdkgradle.com

Attack Patterns

AppleJeus - S0584

PondRAT

POOLRAT

Gleaming Pisces

T1059.006

T1588.002

T1059.004

T1071.001

T1543.001

T1204.002

T1573

T1105

T1102

T1036

T1140

T1132

T1027

T1059

CVE-2024-3094

CVE-2024-3400

Additional Informations

Technology

Finance