Chinese Cybercriminals Use GeoServer Vulnerability to Propagate EAGLEDOOR Malware in APAC Countries – Active IOCs
September 23, 2024Gafgyt aka Bashlite Malware – Active IOCs
September 23, 2024Chinese Cybercriminals Use GeoServer Vulnerability to Propagate EAGLEDOOR Malware in APAC Countries – Active IOCs
September 23, 2024Gafgyt aka Bashlite Malware – Active IOCs
September 23, 2024Severity
High
Analysis Summary
As part of an ongoing campaign, North Korean-affiliated threat actors have been seen deploying poisoned Python packages to spread a new piece of malware known as PondRAT.
New research indicates that PondRAT is thought to be a more subdued form of POOLRAT, also known as SIMPLESEA. POOLRAT is a well-known macOS backdoor that was used in attacks linked to the 3CX supply chain attack last year and has previously been linked to the Lazarus Group. Some of these cyberattacks are part of an ongoing campaign known as Operation Dream Job, in which potential victims are tricked into downloading malware by luring them in with attractive employment offers.
Several malicious Python packages were published to PyPI, a well-known repository for open-source Python packages, by the campaign's attackers. With a reasonable degree of confidence, the researchers connected the behavior to Gleaming Pisces, a threat actor. Under the aliases Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736—a sub-cluster of the Lazarus Group that is also suspected of spreading the AppleJeus malware—the adversary is also being monitored by the broader cybersecurity community.
As shown in earlier occurrences, it is thought that the ultimate objective of the attacks is to obtain access to supply chain vendors via developers' endpoints and then acquire access to the vendors' clients' endpoints. Following is a list of malicious packages that have been deleted from the PyPI repository:
- minisound (416 downloads)
- beautifultext (736 downloads)
- coloredtxt (381 downloads)
- real-ids (893 downloads)
The packages are designed to run an encoded next stage once they are downloaded and installed on developer PCs. This encoded stage then launches the Linux and macOS versions of the RAT malware, which are retrieved from a remote server. This makes the infection chain pretty straightforward.
Additional investigation of PondRAT has shown that it has characteristics with AppleJeus and POOLRAT and that the attacks also disseminate new POOLRAT Linux variants. The function structure used by POOLRAT on Linux and macOS to load configurations is the same, with comparable method names and functionalities. Furthermore, there is a notable resemblance in the method names and strings in both versions. Finally, there is almost no difference in the system that receives commands from the command-and-control (C2) server.
PondRAT is a more compact variant of POOLRAT that can upload and download files, suspend activities for a specified amount of time, and run any commands. The presence of more Linux versions of POOLRAT demonstrated that Gleaming Pisces has been improving its functionality on the Linux and macOS operating systems. Organizations face a serious danger when legitimate-looking Python packages are weaponized and used across several operating systems. Malicious third-party packages have the potential to infect a whole network with malware if they are installed successfully.
Impact
- Unauthorized Access
- Sensitive Data Theft
- Command Execution
Indicators of Compromise
Domain Name
- jdkgradle.com
- rebelthumb.net
URL
- http://www.talesseries.com/write.php
- http://rgedist.com/sfxl.php
MD5
- 33c9a47debdb07824c6c51e13740bdfe
- b62c912de846e743effdf7e5654a7605
- f50c83a4147b86cdb20cc1fbae458865
- 61d7b2c7814971e5323ec67b3a3d7f45
- 05957d98a75c04597649295dc846682d
- ce35c935dcc9d55b2c79945bac77dc8e
- 6f2f61783a4a59449db4ba37211fa331
- 4c66950d791ff5d39d53ffcd0b52a64d
SHA-256
- 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
- 0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7
- 3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e
- bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80
- bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b
- cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86
- f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703
- 5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456
SHA-1
- 7b6e6487b803bbe85d7466b89da51a269fa4fc29
- 8027c1d1ac0fd7d40ee850119c6d4501fbe75eab
- 8a030a03570134cee4659b1b1f666f6f48c27fa5
- 7637ee2925c88110fc15a77c120bf70dc66e84a7
- 676537b0f7707feae0130bbcbdc881f5b4eb3f03
- 720e6abf3befb585164450325246fe9cb000268f
- 6f391d282a37b770abcedd08c4c0e2156076cd8e
- dd5bb0609b92163d8834a37a517885ce0b512938
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software on time and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.