TodoSwift Disguises Malware Download Behind Bitcoin PDF

Aug. 19, 2024, 1:59 p.m.

Description

This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's tactics, such as using Google Drive URLs and passing command-and-control URLs as launch arguments, align with previous campaigns attributed to the DPRK-linked BlueNoroff group. The binary leverages NSTask objects to launch curl commands, download files, and ultimately deploy a second-stage payload.

External References

https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf
https://otx.alienvault.com/pulse/66c34a0a0063bb52925acf43
Tags
cryptocurrency
macos
dropper
2024-08-19
rustbucket
kandykorn
todoswift

Date

  • Created: Aug. 19, 2024, 1:35 p.m.
  • Published: Aug. 19, 2024, 1:35 p.m.
  • Modified: Aug. 19, 2024, 1:59 p.m.

Indicators

  • f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93
  • e09d2277a19dddd751edb164bde064682a6acc41a7ee178a2dacd4f9ac357fc7
  • c52e3e73d7870bf8edc1b9ae52b26c08ef2466f948ef3446b2c865fd53d859dd
  • a55029c963ff454e42483b9b6f0293dc546e06b2fb71e6ebaa4c6f146a9906a3
  • 9b839e9169babff1d14468d9f8497c165931dc65d5ff1f4b547925ff924c43fe
  • 9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3
  • buy2x.com
Download all indicators here!

Attack Patterns

  • TodoSwift
  • KandyKorn
  • RustBucket
  • BlueNoroff