Cybersecurity researchers have discovered a new macOS malware strain named TodoSwift that shares similarities with malicious software used by North Korean hacking groups.
According to Kandji security researcher Christopher Lopez, TodoSwift shows behaviors that align with known threats linked to North Korea’s BlueNoroff, such as KANDYKORN and RustBucket.
RustBucket, a backdoor identified in July 2023, is an AppleScript-based malware that can retrieve payloads from a command-and-control server.
Elastic Security Labs previously uncovered KANDYKORN, a macOS malware used in an attack on blockchain engineers of a cryptocurrency exchange.
Both KANDYKORN and RustBucket use linkpc[.]net domains for command and control, believed to be the work of the Lazarus Group.
TodoSwift is distributed as a signed file named TodoTasks, containing a dropper component.
TodoSwift uses a GUI application to display a weaponized PDF document to victims while downloading and executing a second-stage binary.
The malware lures victims with a harmless Bitcoin-related PDF hosted on Google Drive and retrieves the malicious payload from “buy2x[.]com.”
According to Lopez, the use of Google Drive URLs and passing C2 URLs to binaries is consistent with previous DPRK macOS malware.
If you found this article interesting, follow us on Twitter and LinkedIn for more exclusive content.