3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

North Korea Targets Software Supply Chain Via PyPI

Backdoored Python Packages Likely Work of 'Gleaming Pisces,' Says Palo Alto
North Korea Targets Software Supply Chain Via PyPI
A view across Pyongyang to the Monument to Party Founding in a December 2018 photo (Image: Shutterstock)

A North Korean hacking group with a history of a stealing cryptocurrency is likely behind a raft of poisoned Python packages targeting developers working on the Linux and macOS operating systems in an apparent attempt at a supply chain attack.

See Also: Tracking and Mitigating Emerging Threats in Third-Party Risk Management

Researchers at Palo Alto's Unit 42 attributed a campaign in which malware-laden Python code is uploaded to the PyPI open-source repository to the North Korea-linked APT group tracked as "Gleaming Pisces," with medium confidence.

Also known as Citrine Sleet, the group's fame comes from distributing a version of AppleJeus malware targeted at cryptocurrency traders.

The infection chain includes several Python packages that decode and execute encoded code. "After Python installed and loaded the malicious package, a malicious piece of code eventually ran several bash commands to download the RAT, modifying its permissions and executing it," the researchers said.

The North Korean hereditary Juche absolutist monarchy actively steals cryptocurrency to fund weapons of mass destruction development and inject hard currency into the highly sanctioned economy. Pyongyang AppleJeus hackers have targeted the software supply chain in the past - succeeding beyond expectations in 2023 when a flaw inserted into an obsolete trading software package led them to compromising a desktop phone application made by 3CX and used by multinational corporations including Toyota, Coca-Cola and Air France (see: North Korean Hackers Chained Supply Chain Hacks to Reach 3CX).

PyPI, a widely used repository of Python libraries, has been the repeated target of malicious users. Administrators in March halted new user registrations for a second time after threat actors flooded the repository with typosquatted versions of well-known packages to deceive developers (see: Malware Flood Causes PyPI to Temporarily Halt New Accounts).

"We assess that the threat actor's objective was to secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints," the researchers said.

The malicious packages spotted by Palo Alto are no longer available on PyPI, but the impact on organizations using infected third-party software remains significant, they added.

The North Korean attribution comes after researchers found overlapping code structure, identification function names and encryption keys and similar execution flows with a previous AppleJeus backdoor. Palo Alto named the backdoor in this campaign PondRAT. It shares many characteristics with PoolRat, a known North Korean backdoor that Mandiant spotted in the 2023 supply chain attack against 3CX.

A PondRAT variant observed by Palo Alto for macOS also used rebelthumb.net as its command-and-control domain. Volexity in 2022 identified the hostname as an AppleJeus server.

The now-removed Python packages are: real-ids with 893 downloads, coloredtxt with 381 downloads; beautifultext with 736 downloads, and minisound with 416 downloads.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.