Poolrat

Malware updated 23 days ago (2024-11-29T13:43:56.152Z)
Download STIX
Preview STIX
POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspected to be the final payload in an AppleJeus attack. POOLRAT shares numerous characteristics with a known North Korean backdoor, PoolRat, spotted by Mandiant in a 2023 supply chain attack against 3CX. This backdoor is attributed to the North Korea-linked threat actor Gleaming Pisces, also known as Citrine Sleet, who previously distributed the macOS remote administration tool POOLRAT, aka SIMPLESEA. In 2023, the attackers compromised the macOS build server using a POOLRAT backdoor with LaunchDaemons for persistent access during a supply chain attack on 3CX. Analysis of this malware family revealed that the Linux and macOS versions use an identical function structure for loading their configurations, including similar method names and functionality. Another malware variant, PondRAT, has been found to have a command handler with similarities to POOLRAT, leading researchers to label it as a lighter version of POOLRAT. Prevention and detection alerts have been implemented for each type of malware, including POOLRAT and PondRAT. Multiple products in the Palo Alto Networks portfolio leverage Advanced WildFire to provide coverage against both these variants and other threats. Despite the severity of the threat posed by these malwares, it's worth noting that their authors have focused exclusively on macOS and Linux systems, bypassing Windows entirely. This suggests a strategic shift in targeting specific operating system platforms.
Description last updated: 2024-10-17T12:18:25.007Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
AppleJeus is a possible alias for Poolrat. AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency tradi
2
Simplesea is a possible alias for Poolrat. Simplesea, a harmful malware program, is attributed to the North Korea-linked threat actor known as Gleaming Pisces or Citrine Sleet. This malicious software is designed to exploit and damage computer systems, potentially leading to theft of personal information, disruption of operations, or even ho
2
Pondrat is a possible alias for Poolrat. PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infr
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Macos
Backdoor
Malware
Linux
Windows
Implant
Tool
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gleaming Pisces Threat Actor is associated with Poolrat. Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the trhas used
3
The Citrine Sleet Threat Actor is associated with Poolrat. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybeUnspecified
2
Source Document References
Information about the Poolrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more