Software developers targeted by malware hidden in Python packages

Lazarus is back with more fake job scams

News By Sead Fadilpašić published 24 September 2024

Python developers working on Mac devices are being targeted by North Korean hackers once again experts have warned.

A report from cybersecurity researchers Unit 42 has claimed the attacks are, at least to some extent, part of the so-called Operation Dream Job, run by Lazarus Group, an infamous hacking collective on North Korea’s payroll. It revolves around creating fake job ads and luring software developers to apply. During the hiring process, the crooks would trick the devs into downloading and running malicious packages, thus granting the attackers access to important resources.

In this instance, the criminals were observed uploading weaponized Python packages to PyPI, one of the world’s most popular Python package repositories.

PondRAT

So far, the researchers identified four packages, which were subsequently reported and removed from the platform:

real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)

These packages were allegedly holding a piece of malware called PondRAT. This remote access trojan is a stripped-down version of POOLRAT (also known as SIMPLESEA), a known macOS backdoor that Lazarus was observed deploying in the past.

PondRAT can’t do all the things POOLRAT can, but it can still upload and download files, run arbitrary commands, or even stop working for a while.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors