TodoSwift: Newest macOS Malware Tied to North Korean Hackers

August 22, 2024
1 min read

TLDR:

  • A new macOS malware called TodoSwift has been linked to North Korean hacking groups.
  • Similarities have been found between TodoSwift and known North Korean malicious software such as KANDYKORN and RustBucket.

Cybersecurity researchers have identified a new macOS malware strain, TodoSwift, which shares characteristics with malware previously used by North Korean hacking groups. The malware, discovered by Kandji security researcher Christopher Lopez, shows similarities with known malicious software like KANDYKORN and RustBucket. RustBucket, initially detected in July 2023, is an AppleScript-based backdoor capable of retrieving next-stage payloads from a command-and-control (C2) server. Last year, Elastic Security Labs uncovered KANDYKORN, employed in a cyber attack targeting blockchain engineers of an unnamed cryptocurrency exchange platform.

Both RustBucket and KANDYKORN utilize linkpc[.]net domains for C2 purposes and are attributed to the Lazarus Group, specifically its sub-cluster BlueNoroff. The DPRK, through the Lazarus Group, targets cryptocurrency businesses to evade international sanctions. TodoSwift is distributed as a signed file named TodoTasks, which includes a dropper component to deliver a weaponized PDF document and execute a second-stage binary. The lure PDF, related to Bitcoin, is hosted on Google Drive, while the malicious payload is fetched from a domain controlled by the actor.

The second-stage binary can access system information, communicate with a C2 server via API, and write data to an executable file on the device. The use of a Google Drive URL and passing the C2 URL as a launch argument to the binary align with characteristics of previous North Korean macOS malware. TodoSwift’s behavior mirrors that of known DPRK malware affecting macOS systems, emphasizing the persistent threat posed by North Korean hacking groups in cyber attacks.

Latest from Blog

Top 20 Linux Admin Tools for 2024

TLDR: Top Linux Admin Tools in 2024 Key points: Linux admin tools streamline system configurations, performance monitoring, and security management. Popular Linux admin tools include Webmin, Puppet, Zabbix, Nagios, and Ansible. Summary

Bogus job tempts aerospace, energy workers

TLDR: A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors. Mandiant reports that the group uses fake job descriptions stored in malicious archives