Cybersecurity researchers have uncovered a brand new macOS malware pressure dubbed TodoSwift that they are saying displays commonalities with recognized malicious software program utilized by North Korean hacking teams.
“This software shares a number of behaviors with malware we have seen that originated in North Korea (DPRK) — particularly the menace actor referred to as BlueNoroff — equivalent to KANDYKORN and RustBucket,” Kandji safety researcher Christopher Lopez stated in an evaluation.
RustBucket, which first got here to gentle in July 2023, refers to an AppleScript-based backdoor that is able to fetching next-stage payloads from a command-and-control (C2) server.
Late final yr, Elastic Safety Labs additionally uncovered one other macOS malware tracked as KANDYKORN that was deployed in reference to a cyber assault concentrating on blockchain engineers of an unnamed cryptocurrency change platform.
Delivered by the use of a complicated multi-stage an infection chain, KANDYKORN possesses capabilities to entry and exfiltrate knowledge from a sufferer’s laptop. It is also designed to terminate arbitrary processes and execute instructions on the host.
A standard trait that connects the two malware households lies in using linkpc[.]internet domains for C2 functions. Each RustBucket and KANDYKORN are assessed to be the work of a hacking crew referred to as the Lazarus Group (and its sub-cluster referred to as BlueNoroff).
“The DPRK, by way of items just like the Lazarus Group, continues to focus on crypto-industry companies with the aim of stealing cryptocurrency with a view to circumvent worldwide sanctions that hinder the expansion of their financial system and ambitions,” Elastic stated on the time.
“On this intrusion, they focused blockchain engineers lively on a public chat server with a lure designed to talk to their expertise and pursuits, with the underlying promise of economic achieve.”
The newest findings from the Apple machine administration and safety platform present that TodoSwift is distributed within the type of a signed file named TodoTasks, which consists of a dropper element.
This module is a GUI software written in SwiftUI that is engineered to show a weaponized PDF doc to the sufferer, whereas covertly downloading and executing a second-stage binary, a method employed in RustBucket as nicely.
The lure PDF is a innocent Bitcoin-related doc hosted on Google Drive, whereas the malicious payload is retrieved from an actor-controlled area (“buy2x[.]com”). Additional investigation into the precise specifics of the binary stays ongoing.
“The usage of a Google Drive URL and passing the C2 URL as a launch argument to the stage 2 binary is in line with earlier DPRK malware affecting macOS techniques,” Lopez stated.