TodoSwift: Newest macOS Malware Tied to North Korean Hackers

Cybersecurity researchers have identified a new macOS malware strain, TodoSwift, which shares characteristics with malware previously used by North Korean hacking groups. The malware, discovered by Kandji security researcher Christopher Lopez, shows similarities with known malicious software like KANDYKORN and RustBucket. RustBucket, initially detected in July 2023, is an AppleScript-based backdoor capable of retrieving next-stage payloads from a command-and-control (C2) server. Last year, Elastic Security Labs uncovered KANDYKORN, employed in a cyber attack targeting blockchain engineers of an unnamed cryptocurrency exchange platform.

Both RustBucket and KANDYKORN utilize linkpc[.]net domains for C2 purposes and are attributed to the Lazarus Group, specifically its sub-cluster BlueNoroff. The DPRK, through the Lazarus Group, targets cryptocurrency businesses to evade international sanctions. TodoSwift is distributed as a signed file named TodoTasks, which includes a dropper component to deliver a weaponized PDF document and execute a second-stage binary. The lure PDF, related to Bitcoin, is hosted on Google Drive, while the malicious payload is fetched from a domain controlled by the actor.

The second-stage binary can access system information, communicate with a C2 server via API, and write data to an executable file on the device. The use of a Google Drive URL and passing the C2 URL as a launch argument to the binary align with characteristics of previous North Korean macOS malware. TodoSwift’s behavior mirrors that of known DPRK malware affecting macOS systems, emphasizing the persistent threat posed by North Korean hacking groups in cyber attacks.