Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

    Thursday, September 19, 2024 In: Threat Research Print

    Date: 09/19/2024

    Severity: Medium

    Summary

    The "Gleaming Pisces Poisoned Python Packages" campaign involves attackers distributing malicious Python packages that deliver a backdoor called PondRAT to Linux and macOS systems. These packages are designed to look legitimate, tricking users into downloading them. Once installed, PondRAT allows attackers to remotely control the infected systems, compromising security and potentially stealing sensitive information. This highlights the importance of verifying software sources and being cautious with package installations.

    Indicators of Compromise (IOC) List

    URL/Domain

    rebelthumb.net

    jdkgradle.com

    Hash

    5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456

f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703

973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c

0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7

cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86

bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b

bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80

3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "rebelthumb.net" or url like "rebelthumb.net" or userdomainname like "jdkgradle.com" or url like "jdkgradle.com"

    Hash

    sha256hash IN ("5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456","f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703","973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c","0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7","cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86","bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b","bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80","3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e")

    Reference: 

    https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/


    Tags

    MalwareRATBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.