New macOS Malware TodoSwift Associated with North Korean Hacking Crews
Cybersecurity analysts have discovered a fresh macOS malware variant named TodoSwift that they suggest shows similarities with recognized malevolent software employed by North Korean hacker organizations.
“This software demonstrates several traits similar to malware connected to North Korea (DPRK) — particularly the threat actor identified as BlueNoroff — like KANDYKORN and RustBucket,” mentioned Kandji security researcher Christopher Lopez in an examination.
RustBucket, revealed in July 2023, pertains to an AppleScript-rooted backdoor that can fetch subsequent payloads from a command-and-control (C2) server.
Elastic Security Labs also recently found another macOS malware called KANDYKORN, which was utilized in a cyber assault targeting blockchain engineers at an undisclosed cryptocurrency exchange platform.
Transferred through a sophisticated multi-phase infection process, KANDYKORN possesses the ability to access and remove data from a victim’s system. It’s also crafted to halt arbitrary processes and execute commands on the affected device.
A shared characteristic linking the two malicious software families is the utilization of linkpc[.]net domains for C2 objectives. Both RustBucket and KANDYKORN are believed to be the creation of a hacking unit known as the Lazarus Group (and its sub-division BlueNoroff).
“The DPRK, through entities like the Lazarus Group, persists in targeting crypto-related businesses to pilfer cryptocurrency as a way to dodge international restrictions interfering with their economic growth and goals,” Elastic noted previously.
“In this breach, they aimed at blockchain engineers engaged on a public chat platform using attraction tailored to their skills and interests, alongside the promise of financial benefits.”
Insights from the Apple device management and security platform reveal that TodoSwift spreads disguised as TodoTasks, which includes an initiator component.
This module takes the form of a GUI app developed in SwiftUI that presents a weaponized PDF document to the target while secretly downloading and executing a subsequent binary, a tactic also seen in RustBucket.
The benign PDF is a harmless document related to Bitcoin hosted on Google Drive, while the malevolent payload is fetched from a domain controlled by the threat actor (“buy2x[.]com”). Further probe into the precise details of the binary is ongoing.
“The utilization of a Google Drive URL and passing the C2 URL as a launch argument to the stage 2 binary is consistent with prior DPRK malware affecting macOS systems,” Lopez pointed out.
About Author
