Researchers from Unit 42 have uncovered a new malicious campaign orchestrated by the North Korean group known as Gleaming Pisces, targeting Linux and MacOS systems by utilizing malicious Python packages. The attackers are distributing infected packages through the popular Pypi repository, introducing Backdor Pondrat – a lightweight version of the previously known Poolrat.
The attack commences with the loading of malicious packages like Real-ids, Coloredtxt, Beautifultext, and Minisound from Pypi. Upon installation, these packages execute commands that load Pondrat, granting the attackers complete control over the system. This malicious software enables file uploads and downloads, command execution, and even system suspension.
The cross-platform nature of the attack poses a significant threat as it targets both Linux and MacOS systems. Despite Pondrat having lower functionality compared to Poolrat, it still possesses ample power for data theft and network intrusions. Analysis of the command structure reveals striking similarities to Poolrat, allowing attackers to efficiently manage infected systems.
Gleaming Pisces, a group associated with North Korea’s intelligence bureau, has previously conducted attacks in the cryptocurrency sector by spreading malware disguised as trading programs. This latest campaign utilizing Python packages highlights their adaptability and expansion of attack techniques.
Unit 42 researchers have identified similarities in the Pondrat code and malicious programs used in previous Gleaming Pisces attacks. The shared functions, code structures, and encryption keys indicate another attempt to compromise supply chains.
Despite the removal of infected Pypi packages, the threat remains prevalent. Organizations are advised to thoroughly validate the packages they use, conduct regular code audits, and monitor real-time execution to mitigate the risks of such attacks.