Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware


A North Korean advanced persistent threat (APT) actor (aka Gleaming Pisces) tried to sneak simple backdoors into public software packages.



One of North Koreas most sophisticated threat groups has been hiding remote access malware for macOS and Linux inside of open source Python packages.
North Korean advanced persistent threats (APTs) have become notorious for certain characteristic types of cyberattack in recent years. Theres the cryptocurrency scam, which can come in many forms — often a fake trading platform, where victims are lured into divulging their wallet information or downloading malware. Supply chain attacks are common, particularly via
poisoned packages typosquatting on public repositories
. An impish recent trend involves contracting
actual, honest labor to Western companies
under false pretenses, then sending the salaries earned back to Kims state. The reverse — agents posing as tech recruiters, convincing developers to download malware — is also common.
The group, which Palo Altos Unit 42 tracks as Gleaming Pisces (and Microsoft as Citrine Sleet), seems to have supplemented category one with category two. Active since 2018, the financially motivated, DPRK Reconnaissance General Bureau (RGB)-linked group is known for attacks weaponizing
fake crypto platforms
. Unit 42 now assesses with medium confidence that it was responsible for uploading
a handful of malicious packages
to the Python Package Index (PyPI) back in February. The packages have since been taken down.
Most packages uploaded to open source repositories are simple by nature. As Louis Lang, co-founder and chief technology officer (CTO) at Phylum recalls, What was interesting about these packages was that there was a higher order of complexity than you typically find among benign packages.
Phylum had identified four packages worth taking a second look at: real-ids, minisound, coloredtxt, and beautifultext. The innocuous names seemed to allude to legitimate functionality, like syntax highlighting for terminal outputs.
In reality, the packages contained malicious code that would be decoded and executed upon download. The code would then run bash commands in order to retrieve and download a
remote access Trojan
(RAT) called PondRAT.
PondRAT is an entirely simple backdoor, capable of just a few functions: uploading and downloading files, checking to see that an implant is active or instructing it to sleep, and executing commands issued by the operator. It is, in essence, a light version of PoolRAT. PoolRAT is a known Gleaming Pisces backdoor for macOS that has a half dozen more standard capabilities than its successor, like listing directories, deleting files, etc.
More notable than the malware itself may be the fact that its authors wrote it only for macOS and Linux systems.
Forgoing hackers long preferred Windows operating system makes sense, though, when one considers Gleaming Pisces typical audience. As Lang explains, Theyre targeting the actual builders, CI/CD infrastructure, developer workstations — environments that are overwhelmingly going to be Linux or macOS based. Very few people are doing development on straight Windows. So if you are targeting developers, it makes sense to ship variants for these systems, because thats where your target population lives.
Developers, then, need to be alert to phishing attacks, like those fake crypto platforms and job recruitment scams. Because while its rare that anyone might pull an unpopular, ultra-generic package from PyPI, its entirely likely that that same package could be quietly integrated into a broader infection chain.
If you add a package, it could have downstream impacts, where youre actually pulling in 30, 40 other packages it may [be connected to]. So if I was a developer, Id be very cognizant of what Im installing, and try to minimize the attack surface by minimizing the number packages Im pulling in. And then, obviously, scan the packages — look for these zombies, look for high-entropy strings, look for code obfuscation, Lang suggests.
Like we always say, he adds, youre one update away from malware.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware