Software developers targeted by malware hidden in Python packages
Lazarus is back with more fake job scams
Python developers working on Mac devices are being targeted by North Korean hackers once again experts have warned.
A report from cybersecurity researchers Unit 42 has claimed the attacks are, at least to some extent, part of the so-called Operation Dream Job, run by Lazarus Group, an infamous hacking collective on North Korea’s payroll. It revolves around creating fake job ads and luring software developers to apply. During the hiring process, the crooks would trick the devs into downloading and running malicious packages, thus granting the attackers access to important resources.
In this instance, the criminals were observed uploading weaponized Python packages to PyPI, one of the world’s most popular Python package repositories.
PondRAT
So far, the researchers identified four packages, which were subsequently reported and removed from the platform:
real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)
These packages were allegedly holding a piece of malware called PondRAT. This remote access trojan is a stripped-down version of POOLRAT (also known as SIMPLESEA), a known macOS backdoor that Lazarus was observed deploying in the past.
PondRAT can’t do all the things POOLRAT can, but it can still upload and download files, run arbitrary commands, or even stop working for a while.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said. Gleaming Pisces, Unit 42 claims, is a sub-group of Lazarus.
"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."
For months now, Lazarus has been creating fake job ads, attempting to compromise developers working in high-profile organizations. It was also seen trying to get hired by these firms, too.
Via The Hacker News
More from TechRadar Pro
- North Korean Lazarus hackers are using a fake coding test to steal passwords
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.