Recent macOS Malware TodoSwift Linked to North Korean Cyber Warfare Groups
A recent discovery by cybersecurity experts unveiled a fresh macOS malware variant known as TodoSwift, which displays similarities with identified malicious software associated with North Korean cyber warfare syndicates.
“Much like known malware from North Korea (DPRK) – particularly from the hacking entity BlueNoroff – this software shares several traits with threats like KANDYKORN and RustBucket,” highlighted Christopher Lopez, a security researcher at Kandji, in an examination.
RustBucket, disclosed in July 2023, involves an AppleScript-based backdoor capable of retrieving subsequent malicious payloads from a command-and-control (C2) server.
Not long ago, Elastic Security Labs exposed another macOS threat identified as KANDYKORN, which was utilized in an attack against blockchain specialists of a specific cryptocurrency exchange platform.
Deployed via a sophisticated multi-layer infection method, KANDYKORN can infiltrate and extract data from the victim’s computer system. It also has the capacity to halt various processes and run commands on the targeted system.
One common element linking the two malware lineages is the utilization of linkpc[.]net domains for C2 operations. Both RustBucket and KANDYKORN are believed to be attributed to a hacking faction referred to as the Lazarus Group (along with its sub-branch BlueNoroff).
“The DPRK, through groups like the Lazarus Group, persistently aims at businesses in the cryptocurrency sector in an attempt to siphon off digital currencies and evade international limitations impeding their economic development and aspirations,” remarked Elastic during the incident.
“In this attack, they targeted blockchain professionals active on an open chat platform with an enticing message tailored to their expertise and interests, alluding to potential financial gain.”
Recent insights from the Apple security and device management platform manifest that TodoSwift masquerades as TodoTasks, comprising a loader element.
This module, a graphical user interface app programmed in SwiftUI, is designed to showcase a weaponized PDF file to the victim while discreetly fetching and executing a secondary binary, a methodology akin to RustBucket.
The benign PDF document is related to Bitcoin and stored on Google Drive, whereas the harmful payload is obtained from a domain controlled by the attackers (“buy2x[.]com”). Detailed scrutiny of the particularities of the binary is currently ongoing.
“The adoption of a Google Drive link and the provision of the C2 URL as a start-up argument to the second-stage binary is in line with previous DPRK malware affecting macOS machines,” Lopez detailed.
About Author
