TodoSwift Disguises Malware Download Behind Bitcoin PDF
Aug. 19, 2024, 1:59 p.m.
Description
This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's tactics, such as using Google Drive URLs and passing command-and-control URLs as launch arguments, align with previous campaigns attributed to the DPRK-linked BlueNoroff group. The binary leverages NSTask objects to launch curl commands, download files, and ultimately deploy a second-stage payload.
Tags
Date
- Created: Aug. 19, 2024, 1:35 p.m.
- Published: Aug. 19, 2024, 1:35 p.m.
- Modified: Aug. 19, 2024, 1:59 p.m.
Indicators
- f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93
- e09d2277a19dddd751edb164bde064682a6acc41a7ee178a2dacd4f9ac357fc7
- c52e3e73d7870bf8edc1b9ae52b26c08ef2466f948ef3446b2c865fd53d859dd
- a55029c963ff454e42483b9b6f0293dc546e06b2fb71e6ebaa4c6f146a9906a3
- 9b839e9169babff1d14468d9f8497c165931dc65d5ff1f4b547925ff924c43fe
- 9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3
- buy2x.com