Cybersecurity experts have identified a new macOS malware strain called “TodoSwift,” which shares characteristics with known malicious software linked to North Korean hacking groups.
Christopher Lopez, a security researcher at Kandji, noted in his analysis that this malware shows similarities with other malicious tools used by North Korea (DPRK), particularly the BlueNoroff group. This group is known for other malware strains like “KANDYKORN” and “RustBucket.”
“RustBucket,” which was first identified in July 2023, is an AppleScript-based backdoor that can retrieve additional malicious payloads from a command-and-control (C2) server.
Late in 2023, Elastic Security Labs discovered another macOS malware called “KANDYKORN,” which was used in a cyberattack targeting blockchain engineers at an unnamed cryptocurrency exchange platform. KANDYKORN is delivered through a complex multi-stage infection chain and has capabilities to access and exfiltrate data from a victim’s computer, terminate processes, and execute commands on the host.
Both RustBucket and KANDYKORN share a common trait: they use linkpc[.]net domains for C2 communications. These malware strains are attributed to the Lazarus Group and its sub-cluster, BlueNoroff, which are known to target businesses in the cryptocurrency industry as part of North Korea’s efforts to steal cryptocurrency and circumvent international sanctions.
According to Elastic, the Lazarus Group targets blockchain engineers using lures designed to appeal to their professional interests, often with the promise of financial gain.
The new findings from Kandji’s Apple device management and security platform reveal that TodoSwift is distributed as a dropper component in the form of an application called “TodoTasks.” This GUI application, written in SwiftUI, is designed to display a weaponized PDF document to the victim while secretly downloading and executing a second-stage binary. This method is similar to the technique employed by RustBucket.
The lure used in TodoSwift is a benign Bitcoin-related document hosted on Google Drive, while the malicious payload is retrieved from a domain controlled by the attackers (“buy2x[.]com”). Further analysis of the specific details of the binary is ongoing.
Lopez pointed out that the use of a Google Drive URL and passing the C2 URL as a launch argument to the second-stage binary is consistent with previous DPRK malware targeting macOS systems.