TodoSwift Mac Malware
Cybersecurity researchers have uncovered a new strain of the macOS malware called TodoSwift, which shares characteristics with known malware linked to North Korean hacking groups.
This application exhibits several behaviors similar to malware previously attributed to North Korea (DPRK), particularly the BlueNoroff threat group, which is associated with malware like KANDYKORN and RustBucke. RustBucket, first reported in July 2023, is an AppleScript-based backdoor designed to retrieve additional payloads from a Command-and-Control (C2) server.
Table of Contents
North Korean-Linked Malware Threats
Late last year, researchers discovered another macOS malware known as KANDYKORN, which was used in a cyber attack targeting blockchain engineers at an unnamed cryptocurrency exchange.
KANDYKORN is delivered through a complex multi-stage infection chain and is equipped to access and exfiltrate data from the victim's computer. Additionally, it can terminate arbitrary processes and execute commands on the host system.
A key similarity between the two malware families is their use of linkpc.net domains for Command-and Control (C2) operations. Both RustBucket and KANDYKORN are believed to be the work of the Lazarus Group, including its sub-cluster known as BlueNoroff.
North Korea, through groups like the Lazarus Group, continues to target businesses in the cryptocurrency industry with the aim of harvesting cryptocurrency to bypass international sanctions that restrict their economic growth and ambitions.
TodoSwift Attack Chain
In the TodoSwift attack, the threat actors targeted blockchain engineers on a public chat server with a lure tailored to their skills and interests, promising financial rewards.
Recent findings reveal that TodoSwift is distributed as a signed file named TodoTasks, which contains a dropper component. This component is a GUI application built with SwiftUI, designed to present a weaponized PDF document to the victim while secretly downloading and executing a second-stage binary, a technique also used by RustBucket.
The PDF lure is a benign Bitcoin-related document hosted on Google Drive, while the threatening payload is retrieved from an actor-controlled domain, 'buy2x.com.' This payload is crafted to collect system information and deploy additional malware.
Once installed, the malware can gather details about the device, such as the OS version and hardware model, communicate with the Command-and-Control (C2) server via API, and write data to an executable file on the device. The use of a Google Drive URL for the lure and passing the C2 URL as a launch argument to the second-stage binary aligns with tactics seen in previous DPRK malware targeting macOS systems.
TodoSwift Mac Malware Video
Tip: Turn your sound ON and watch the video in Full Screen mode.