Related Families: PondRAT, PoolRAT
Verticals Targeted: Software Development
Executive Summary
North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver PondRAT, a backdoor that targets MacOS and Linux systems.
Key Takeaways
- North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver PondRAT, a backdoor that targets MacOS and Linux systems.
- In this supply chain attack, the poisoned Python packages were uploaded to the PyPI open source repository.
- The threat actor group’s motivation was likely to obtain access to supply chain vendors via developer endpoints, and in turn gain access to the vendor’s customers’ endpoints.
What is PondRAT?
North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver Linux and MacOS backdoors. Palo Alto’s Unit 42 recently reported on this activity.
In the ongoing campaign, Labyrinth Chollima used infected Python software packages to deliver PondRAT. The Python packages were uploaded to the PyPI open source repository. The poisoned Python packages use an evasive infection chain in an attempt to evade detection. When a poisoned package is downloaded and installed on the developer’s machine, it executes an encoded next-stage that retrieves the payload from the C2 and executes it.
PondRAT is a backdoor that targets Linux and MacOS systems. Unit 42 researchers also discovered a new Linux variant of PoolRAT (SimpleSea), which was previously observed only targeting MacOS. The researchers assessed that PondRAT is a lighter version of PoolRAT. PondRAT is capable of uploading and downloading files, checking whether an implant is active, instructing the implant to sleep, and executing commands.
Unit 42 attributed this activity to Labyrinth Chollima due to similarities between PondRAT and another MacOS malware used in an AppleJeus campaign. Multiple similarities point to a shared codebase, including an overlap in code structures, use of identical function names and encryption keys, and similar execution flows. Additionally, they noted the similarities between PondRAT and PoolRAT. According to Unit 42, the threat actor group’s motivation was likely to obtain access to supply chain vendors via developer endpoints, and in turn gain access to the vendor’s customers’ endpoints.
Who is Labyrinth Chollima?
Labyrinth Chollima, also known as Gleaming Pisces, AppleJeus, Nickel Academy, Hidden Cobra, Citrine Sleet, and UNC4736, is a state-sponsored threat actor group likely affiliated with Bureau 121 of North Korea’s Reconnaissance General Bureau. It is thought to be a sub-cluster of Lazarus Group and has been active since at least 2018. The group’s members are reportedly trained in Shenyang, China in malware and espionage operations. Labyrinth Chollima is known for espionage activity, disruptive activity, and financially motivated attacks.
Last year, Labyrinth Chollima was observed weaponizing a backdoored UltraVNC client and using a trojanized version of the CyberLink app. Other TTPs associated with Labyrinth Chollima include LightlessCan, KandyKorn, SugarLoader, and Hloader. In the past, the group has been observed engaging in supply chain attacks and attacks on cryptocurrency platforms.
IOCs
PolySwarm has multiple samples of PondRAT and PoolRAT.
PondRAT
0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7
3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e
bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b
You can use the following CLI command to search for all PondRAT samples in our portal:
$ polyswarm link list -f PondRAT
PoolRAT
5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456
f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703
You can use the following CLI command to search for all PoolRAT samples in our portal:
$ polyswarm link list -f PoolRAT
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.