Poolrat

Malware updated a month ago (2024-10-17T13:02:30.105Z)

Download STIX

Preview STIX

POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspected to be the final payload in an AppleJeus attack. POOLRAT shares numerous characteristics with a known North Korean backdoor, PoolRat, spotted by Mandiant in a 2023 supply chain attack against 3CX. This backdoor is attributed to the North Korea-linked threat actor Gleaming Pisces, also known as Citrine Sleet, who previously distributed the macOS remote administration tool POOLRAT, aka SIMPLESEA. In 2023, the attackers compromised the macOS build server using a POOLRAT backdoor with LaunchDaemons for persistent access during a supply chain attack on 3CX. Analysis of this malware family revealed that the Linux and macOS versions use an identical function structure for loading their configurations, including similar method names and functionality. Another malware variant, PondRAT, has been found to have a command handler with similarities to POOLRAT, leading researchers to label it as a lighter version of POOLRAT. Prevention and detection alerts have been implemented for each type of malware, including POOLRAT and PondRAT. Multiple products in the Palo Alto Networks portfolio leverage Advanced WildFire to provide coverage against both these variants and other threats. Despite the severity of the threat posed by these malwares, it's worth noting that their authors have focused exclusively on macOS and Linux systems, bypassing Windows entirely. This suggests a strategic shift in targeting specific operating system platforms.

Description last updated: 2024-10-17T12:18:25.007Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
AppleJeus is a possible alias for Poolrat. AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency tradi	2
Simplesea is a possible alias for Poolrat. Simplesea, a harmful malware program, is attributed to the North Korea-linked threat actor known as Gleaming Pisces or Citrine Sleet. This malicious software is designed to exploit and damage computer systems, potentially leading to theft of personal information, disruption of operations, or even ho	2
Pondrat is a possible alias for Poolrat. PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infr	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Macos

Backdoor

Malware

Linux

Windows

Implant

Tool

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Gleaming Pisces Threat Actor is associated with Poolrat. Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the tr	has used	3
The Citrine Sleet Threat Actor is associated with Poolrat. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe	Unspecified	2

Source Document References

Information about the Poolrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 months ago	North Korea Targets Software Supply Chain Via PyPI
Securityaffairs	2 months ago	North Korea-linked APT Gleaming Pisces deliver new PondRAT backdoor via malicious Python packages
DARKReading	2 months ago	Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware
Unit42	2 months ago	Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
CERT-EU	2 years ago	3CX hack highlights risk of cascading software supply-chain compromises
CERT-EU	2 years ago	Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App
CERT-EU	2 years ago	3CX breach linked to previous supply chain compromise
CERT-EU	2 years ago	N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU	2 years ago	N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU	2 years ago	The 3CX attack gets wilder, marks first 'cascading software supply chain compromise'
CERT-EU	2 years ago	Infected app on employee’s PC led to 3CX compromise: Report \| IT World Canada News
CERT-EU	2 years ago	An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says • The Register \| #cybercrime \| #infosec – National Cyber Security Consulting