CommandLink
Company
CommandLink
Let's talk about how we can help you!
Partners
Partners
We are a partner centric organization
Sign In
Get a Demo

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Backdoors to Linux and macOS

In an alarming new discovery, Unit 42 researchers from Palo Alto Networks have uncovered a sophisticated supply chain attack targeting Linux and macOS systems through poisoned Python packages. This ongoing campaign, linked to the North Korean threat group Gleaming Pisces (also known as Citrine Sleet), has been found distributing PondRAT, a new remote administration tool (RAT), by leveraging infected software packages uploaded to PyPI, a widely-used repository for open-source Python projects.

The attackers aim to infiltrate developer endpoints and subsequently compromise the organizations and customers relying on third-party Python packages. Researchers believe the campaign's objective is to gain access to supply chain vendors, a tactic commonly used to attack the cryptocurrency industry, which Gleaming Pisces has targeted in the past. The campaign represents a significant supply chain threat, impacting systems that trust the PyPI repository.

Poisoned Python Packages and Malware Delivery

The attack begins when victims unknowingly download and install poisoned Python packages from PyPI. These packages include malicious code that ultimately installs the PondRAT backdoor on Linux and macOS systems. The campaign was tracked by analyzing several malicious Python packages, including:

  • real-ids (versions 0.0.3 - 0.0.5)
  • coloredtxt (version 0.0.2)
  • beautifultext (version 0.0.1)
  • minisound (version 0.0.2)

Once installed, the packages execute a series of bash commands to download the PondRAT malware, which gives attackers remote access to the compromised systems. While PyPI administrators have since removed the poisoned packages, the threat remains significant for systems that downloaded and executed these packages prior to their removal.

The Connection to Gleaming Pisces (Citrine Sleet)

Gleaming Pisces, also known as Citrine Sleet, is a financially motivated North Korean APT group linked to the Reconnaissance General Bureau (RGB), a branch of the North Korean government responsible for cyber espionage. The group is notorious for its involvement in previous supply chain attacks, including the distribution of AppleJeus, a fake cryptocurrency trading software used to compromise systems in the cryptocurrency industry.

The PondRAT malware shares significant code similarities with POOLRAT, another macOS RAT previously attributed to Gleaming Pisces and used in the AppleJeus campaign. This connection was established through overlapping code structures, encryption keys, and execution flows observed in both PondRAT and POOLRAT samples, further linking this campaign to the North Korean APT group.

Technical Analysis of PondRAT and POOLRAT

PondRAT and POOLRAT are remote administration tools (RATs) designed to give attackers control over compromised systems. Researchers identified both Linux and macOS variants of PondRAT, which they assess as a lighter version of POOLRAT. Both RATs have similar functionalities, allowing attackers to:

  • Upload and download files to and from compromised systems.
  • Execute commands remotely, with the option to retrieve or suppress output.
  • Check the implant’s status and control operational pauses (sleep commands).

The PondRAT malware installs itself and maintains persistence by using the libcurl library to connect to its command-and-control (C2) servers. The researchers also identified similarities in command structures between PondRAT and POOLRAT, such as the functions FConnectProxy and AcceptRequest, used to connect to the C2 server and execute remote commands.

Campaign Attribution and Findings

Based on the code similarities, encryption keys, and C2 infrastructure observed in both PondRAT and POOLRAT, Unit 42 has attributed this poisoned Python packages campaign to Gleaming Pisces. Additionally, they discovered that the same C2 domains, such as jdkgradle[.]com and rebelthumb[.]net, were used to control both Linux and macOS variants of the RATs.

One of the distinguishing features of this campaign is the weaponization of legitimate-looking Python packages across multiple platforms, making it particularly dangerous. Such attacks can remain undetected for extended periods, potentially compromising entire organizational networks and allowing attackers to exfiltrate sensitive data.

Previous Incidents: AppleJeus and Kupayupdate_stage2

The AppleJeus campaign, another notorious operation attributed to Gleaming Pisces, targeted the cryptocurrency industry through fake trading applications. Researchers noted that PondRAT shares many similarities with kupayupdate_stage2, a macOS RAT used in previous AppleJeus attack waves. Both RATs use identical encryption keys, code structures, and command execution flows.

This consistency across malware families further links the current Python package campaign to Gleaming Pisces and highlights the group's continued focus on attacking financial systems and supply chains.

Protections and Mitigations

Palo Alto Networks has implemented several protective measures to help organizations defend against PondRAT, POOLRAT, and similar threats. These include:

  1. Cortex XDR and XSIAM: These products help detect user and credential-based threats by analyzing activity across multiple data sources, such as endpoints, firewalls, and cloud workloads. Machine learning-based behavioral analytics can detect anomalies that might indicate compromised systems.
  2. Next-Generation Firewalls with Cloud-Delivered Security Services: Including Advanced WildFire detection, Advanced URL Filtering, and DNS Security, which block known C2 domains and prevent malicious communications from taking place.
  3. Threat Prevention Signatures: Palo Alto Networks' security services can block malware C2 traffic, helping to stop the spread of PondRAT and POOLRAT before they can exfiltrate sensitive information.

For organizations that suspect they may have been impacted, Palo Alto Networks’ Unit 42 Incident Response Team offers assistance with mitigating the effects of a breach and performing proactive assessments to reduce the risk of future attacks.

The PondRAT campaign exemplifies the growing threat of supply chain attacks that leverage trusted platforms like PyPI to spread malware. Gleaming Pisces, the North Korean APT group behind this campaign, has a history of launching highly sophisticated attacks against the cryptocurrency industry and other high-value targets.

Organizations relying on Python packages from repositories like PyPI must remain vigilant and ensure they have proper security measures in place. Regularly updating software, auditing dependencies, and using advanced threat detection tools are essential steps in defending against this evolving threat.

Indicators of Compromise (IOCs):

  • PondRAT Linux Variant: 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
  • PondRAT macOS Variant: 0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7, bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80
  • C2 Domains: jdkgradle[.]com, rebelthumb[.]net
Learn More About CommandLink:
Contact Page

ADDITIONAL

RESOURCES:

Library with dropdown

Schedule a Demo:

Schedule a Demo
22722 29th Drive SE Suite 100 Bothell, WA 98021
Single source platform to design, deploy and manage internet access, SD-WAN, SASE, security, cloud phone systems, & collaboration services in one unified SaaS platform.
Copyright CommandLink. All rights reserved.
apartmentcloudcloud-synccloud-checklockdicelicenseuserusersspell-checkscreenlaptop-phonechart-barsselectthumbs-upchevron-downmovelayers