Experts have warned that Python developers using Mac devices are facing a new wave of attacks from North Korean hackers. According to cybersecurity researchers from Unit 42, these attacks are linked to the Lazarus Group, a notorious collective backed by the North Korean government. This hacking campaign forms part of the larger “Operation Dream Job,” in which cybercriminals deceive software developers through fake job offers.
The Lazarus Group’s deceptive strategy
Hackers create fake job advertisements to lure developers into applying for nonexistent positions. The developers are tricked into downloading malicious software disguised as legitimate packages as part of the hiring process. Once installed, these packages allow the attackers to access sensitive resources within the developers’ systems. This latest attack involves using Python packages uploaded to PyPI, one of the most popular repositories for Python programming.
Unit 42 researchers have identified and flagged several malicious Python packages that have already been removed from PyPI. These packages, however, were downloaded hundreds of times before being detected. The packages identified in the attack include:
- real-ids: 893 downloads
- coloredtxt: 381 downloads
- beautifultext: 736 downloads
- minisound: 416 downloads
These seemingly harmless packages hid a remote access trojan (RAT) named PondRAT. PondRAT is a simplified version of POOLRAT, a known macOS backdoor that the Lazarus Group has used in previous operations.
PondRAT’s capabilities
While PondRAT doesn’t have all the advanced features of POOLRAT, it is still dangerous. It can upload and download files, run commands, and temporarily deactivate to avoid detection. Though less sophisticated, its ability to carry out essential tasks allows hackers to gather information and disrupt operations.
Unit 42 also uncovered that the Lazarus Group, or one of its sub-groups known as Gleaming Pisces, has been improving the malware’s capabilities across different operating systems, including Linux. This means that both Linux and macOS users are at risk from these attacks.
“The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms,” Unit 42 explained. “The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organisations.”
A growing threat to developers
Lazarus Group’s efforts to infiltrate high-profile organisations by targeting developers have intensified recently. The hackers have even attempted to gain employment within these organisations alongside their fake job ads. Their strategy revolves around compromising developers’ systems, which could lead to widespread network infections if left unchecked.
Organisations are urged to remain vigilant and only download packages from trusted sources. The consequences of downloading third-party software that contains malware can be catastrophic, leading to compromised networks and stolen data.
The Lazarus Group’s continued efforts to target developers through deceptive job ads and malicious Python packages remind us of the ongoing threats in the cybersecurity landscape. Developers must remain cautious, verify the authenticity of software packages, and protect their systems from these sophisticated attacks.
