Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Sept. 19, 2024, 8:01 a.m.
Tags
External References
Description
Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining access to supply chain vendors and their customers. The malware, named PondRAT, shares similarities with POOLRAT, a known tool in Gleaming Pisces' arsenal. The infection chain involves several stages of encoded code execution, ultimately downloading and running the RAT. Similarities in code structure, function names, and encryption keys between PondRAT and previously attributed malware strengthen the connection to Gleaming Pisces. The research also revealed Linux variants of POOLRAT, expanding the group's cross-platform capabilities.
Date
Published: Sept. 19, 2024, 7:33 a.m.
Created: Sept. 19, 2024, 7:33 a.m.
Modified: Sept. 19, 2024, 8:01 a.m.
Indicators
f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703
cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86
bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b
bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80
91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd
5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8
5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456
3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e
0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7
973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
www.talesseries.com
http://www.talesseries.com/write.php
http://rgedist.com/sfxl.php
rgedist.com
rebelthumb.net
jdkgradle.com
Attack Patterns
AppleJeus - S0584
PondRAT
POOLRAT
Gleaming Pisces
T1059.006
T1588.002
T1059.004
T1071.001
T1543.001
T1204.002
T1573
T1105
T1102
T1036
T1140
T1132
T1027
T1059
CVE-2024-3094
CVE-2024-3400
Additional Informations
Technology
Finance