Cybersecurity researchers have uncovered a brand new macOS malware pressure dubbed TodoSwift that they are saying reveals commonalities with recognized malicious software program utilized by North Korean hacking teams.
“This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK) — specifically the threat actor known as BlueNoroff — such as KANDYKORN and RustBucket,” Kandji safety researcher Christopher Lopez stated in an evaluation.
RustBucket, which first got here to gentle in July 2023, refers to an AppleScript-based backdoor that is able to fetching next-stage payloads from a command-and-control (C2) server.
Late final yr, Elastic Safety Labs additionally uncovered one other macOS malware tracked as KANDYKORN that was deployed in reference to a cyber assault focusing on blockchain engineers of an unnamed cryptocurrency trade platform.
Delivered via a classy multi-stage an infection chain, KANDYKORN possesses capabilities to entry and exfiltrate knowledge from a sufferer’s pc. It is also designed to terminate arbitrary processes and execute instructions on the host.
A standard trait that connects the two malware households lies in the usage of linkpc[.]internet domains for C2 functions. Each RustBucket and KANDYKORN are assessed to be the work of a hacking crew referred to as the Lazarus Group (and its sub-cluster referred to as BlueNoroff).
“The DPRK, via units like the Lazarus Group, continues to target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions,” Elastic stated on the time.
“In this intrusion, they targeted blockchain engineers active on a public chat server with a lure designed to speak to their skills and interests, with the underlying promise of financial gain.”
The newest findings from the Apple machine administration and safety platform present that TodoSwift is distributed within the type of a TodoTasks, which consists of a dropper part.
This module is a GUI utility written in SwiftUI that is engineered to show a weaponized PDF doc to the sufferer, whereas covertly downloading and executing a second-stage binary, a way employed in RustBucket as effectively.
The lure PDF is a innocent Bitcoin-related doc hosted on Google Drive, whereas the malicious payload is retrieved from an actor-controlled area (“buy2x[.]com”). Additional investigation into the precise specifics of the binary stays ongoing.
“The use of a Google Drive URL and passing the C2 URL as a launch argument to the stage 2 binary is consistent with previous DPRK malware affecting macOS systems,” Lopez stated.
