Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Researchers have uncovered a new infiltration method aimed at developers.
Researchers at Unit 42 have discovered a new malware campaign orchestrated by the North Korean group Gleaming Pisces that targets Linux and macOS systems using malicious Python packages. The attackers distribute infected packages through the popular PyPI repository, injecting them with the PondRAT backdoor, a lightweight version of the previously known POOLRAT.
The attack begins by uploading malicious packages such as 'real-ids,' 'coloredtxt,' 'beautifultext', and 'minisound' into PyPI. When installed, these packages run commands that download the PondRAT, giving the attackers full control over the device. Malware allows you to download and upload files, execute commands, and even suspend the system.
Of particular danger is the cross-platform nature of the attack, which covers both Linux and macOS. PondRAT, despite its smaller functionality compared to POOLRAT, has enough power to steal data and disrupt the network. Analysis of the C2 infrastructure has shown that it is almost identical to POOLRAT, allowing attackers to manage infected systems with high efficiency.
This is not the first time that the Gleaming Pisces group, known for its ties to North Korea's intelligence bureau, has attracted the attention of specialists. Previously, it carried out attacks in the cryptocurrency sphere, distributing malware under the guise of trading programs. The current campaign using Python packages demonstrates its ability to adapt and expand attack methods.
Unit 42 researchers have identified similarities in the PondRAT code and malware used in previous Gleaming Pisces attacks. The same function names, common code structures, and matching encryption keys confirm that this is yet another attempt by the group to take over the software supply chain.
Despite the removal of infected packages from PyPI, the threat remains relevant. Organizations are encouraged to carefully review their packages, conduct regular code reviews, and monitor their execution in real time to minimize the risks of such attacks.
Source
Researchers at Unit 42 have discovered a new malware campaign orchestrated by the North Korean group Gleaming Pisces that targets Linux and macOS systems using malicious Python packages. The attackers distribute infected packages through the popular PyPI repository, injecting them with the PondRAT backdoor, a lightweight version of the previously known POOLRAT.
The attack begins by uploading malicious packages such as 'real-ids,' 'coloredtxt,' 'beautifultext', and 'minisound' into PyPI. When installed, these packages run commands that download the PondRAT, giving the attackers full control over the device. Malware allows you to download and upload files, execute commands, and even suspend the system.
Of particular danger is the cross-platform nature of the attack, which covers both Linux and macOS. PondRAT, despite its smaller functionality compared to POOLRAT, has enough power to steal data and disrupt the network. Analysis of the C2 infrastructure has shown that it is almost identical to POOLRAT, allowing attackers to manage infected systems with high efficiency.
This is not the first time that the Gleaming Pisces group, known for its ties to North Korea's intelligence bureau, has attracted the attention of specialists. Previously, it carried out attacks in the cryptocurrency sphere, distributing malware under the guise of trading programs. The current campaign using Python packages demonstrates its ability to adapt and expand attack methods.
Unit 42 researchers have identified similarities in the PondRAT code and malware used in previous Gleaming Pisces attacks. The same function names, common code structures, and matching encryption keys confirm that this is yet another attempt by the group to take over the software supply chain.
Despite the removal of infected packages from PyPI, the threat remains relevant. Organizations are encouraged to carefully review their packages, conduct regular code reviews, and monitor their execution in real time to minimize the risks of such attacks.
Source
