August 21, 2024Ravie LakshmananMalware / Cryptocurrency

Cybersecurity researchers have discovered a new macOS malware called TodoSwift that they say shares similarities with known malicious software used by North Korean hacking groups.

“This application shares several similarities with malware we have seen originating from North Korea (DPRK), specifically the threat actor BlueNoroff, such as KANDYKORN and RustBucket,” said Christopher Lopez, security researcher at Kandji, in an analysis.

RustBucket, which first surfaced in July 2023, points to an AppleScript-based backdoor that can retrieve next-stage payloads from a command-and-control (C2) server.

Late last year, Elastic Security Labs also discovered another macOS malware called KANDYKORN, which was used in a cyberattack targeting blockchain engineers at an unnamed cryptocurrency exchange.

Delivered via a sophisticated multi-stage infection chain, KANDYKORN possesses capabilities to access and exfiltrate data from a victim’s computer. It is also designed to terminate arbitrary processes and execute commands on the host.

A common feature that connects the two malware families lies in the use of linkpc(.)net domains for C2 purposes. Both RustBucket and KANDYKORN are assessed as the work of a hacking team called the Lazarus Group (and its subcluster known as BlueNoroff).

“The DPRK, through entities such as the Lazarus Group, continues to target crypto companies with the aim of stealing cryptocurrencies to circumvent international sanctions that hinder the growth of their economy and ambitions,” Elastic said at the time.

“In this breach, they targeted blockchain engineers active on a public chat server, with a bait and switch that targeted their skills and interests, with the underlying promise of financial gain.”

The latest findings from Apple’s device management and security platform reveal that TodoSwift is distributed in the form of a TodoTasks, which consists of a dropper component.

This module is a GUI application written in SwiftUI that is designed to display a malware-laden PDF document to the victim, while stealthily downloading and executing a second-stage binary. This technique is also used in RustBucket.

The lure PDF is a harmless Bitcoin-related document hosted on Google Drive, while the malicious payload is fetched from an actor-controlled domain (“buy2x(.)com”). Further investigation into the exact details of the binary is ongoing.

“The use of a Google Drive URL and passing the C2 URL as a launch argument to the Stage 2 binary is consistent with previous DPRK malware that affected macOS systems,” Lopez said.