TodoSwift: North Korean Cybercriminals Use Bitcoin Lure to Spread macOS Malware

BlueNoroff - TodoSwift

A signed application known as “TodoTasks” has been discovered to be a sophisticated malware dropper targeting macOS users. Uploaded to VirusTotal on July 24, 2024, this malicious application is believed to originate from North Korea, specifically linked to the infamous BlueNoroff threat actor group. The group has previously been associated with high-profile malware campaigns such as KandyKorn and RustBucket, and this new strain, dubbed “TodoSwift,” shares several telltale characteristics.

Security researchers at Kandji have detailed the malware’s operation, highlighting its advanced techniques and potential connections to previous North Korean cyberattacks.

The TodoSwift malware cleverly disguises itself as a legitimate PDF document, purportedly offering insights into Bitcoin prices. This is a tactic designed to lure in unsuspecting users who may be interested in cryptocurrency trends, a topic that continues to capture global attention. However, instead of providing valuable information, the application simultaneously downloads and executes a malicious binary, potentially compromising the user’s system.

The dropper behind TodoSwift is a GUI application written in Swift/SwiftUI, showcasing a blend of modern macOS development techniques with malicious intent. Upon execution, the application presents a PDF to the user, masking the fact that it is also fetching and executing a second-stage binary in the background. This dual-action behavior is a hallmark of BlueNoroff’s approach, aligning TodoSwift with previous DPRK malware campaigns.

According to security insights from Elastic, TodoSwift’s use of a Google Drive link for downloading its malicious payload echoes tactics seen in earlier BlueNoroff operations. KandyKorn, another DPRK-linked malware, employed a similar strategy, utilizing a Google Drive URL to deliver its payload. The malicious content is downloaded, and the command-and-control (C2) URL is passed as a launch argument to the stage 2 binary, further cementing the connection to known DPRK tactics.

While the initial analysis of TodoSwift reveals its malicious intent and its sophisticated delivery mechanism, the full scope of its capabilities remains under investigation. Researchers are particularly interested in understanding the complete functionality of the stage 2 binary and how it might further compromise affected systems.

In the meantime, macOS users are urged to exercise caution when downloading files, especially those related to popular topics like cryptocurrency. Ensuring that applications are sourced from trusted developers and verifying the legitimacy of downloaded content is crucial in mitigating the risk posed by this and similar threats.

Related Posts: