Software developers targeted by malware hidden in Python packages

The Python banner logo on a computer screen running a code editor.
(Image credit: Shutterstock / Trismegist san)

Python developers working on Mac devices are being targeted by North Korean hackers once again experts have warned.

A report from cybersecurity researchers Unit 42 has claimed the attacks are, at least to some extent, part of the so-called Operation Dream Job, run by Lazarus Group, an infamous hacking collective on North Korea’s payroll. It revolves around creating fake job ads and luring software developers to apply. During the hiring process, the crooks would trick the devs into downloading and running malicious packages, thus granting the attackers access to important resources.

In this instance, the criminals were observed uploading weaponized Python packages to PyPI, one of the world’s most popular Python package repositories.

PondRAT

So far, the researchers identified four packages, which were subsequently reported and removed from the platform:

real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)

These packages were allegedly holding a piece of malware called PondRAT. This remote access trojan is a stripped-down version of POOLRAT (also known as SIMPLESEA), a known macOS backdoor that Lazarus was observed deploying in the past.

PondRAT can’t do all the things POOLRAT can, but it can still upload and download files, run arbitrary commands, or even stop working for a while.

"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said. Gleaming Pisces, Unit 42 claims, is a sub-group of Lazarus.

"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."

For months now, Lazarus has been creating fake job ads, attempting to compromise developers working in high-profile organizations. It was also seen trying to get hired by these firms, too.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.