North Korean Cyber Tactics: TodoSwift Targets macOS Users

Cybersecurity researchers have uncovered a new macOS malware named TodoSwift, which they believe shares characteristics with known malware used by North Korean hacker groups.

Christopher Lopez, a security researcher at Kandji, notes that the TodoSwift application exhibits clear similarities to other malware, such as KANDYKORN and RustBucket, which are associated with the activities of the North Korean hacker group BlueNoroff, a subdivision of the infamous Lazarus Group.

RustBucket, first identified by experts from Elastic Security Labs in July 2023, is an AppleScript-based backdoor capable of downloading additional malicious components from a command-and-control (C2) server. In November of the same year, researchers discovered another macOS malware named KANDYKORN, which was used in a cyberattack targeting blockchain engineers.

KANDYKORN, disseminated through a sophisticated multi-stage infection chain, has the ability to access and exfiltrate data from the victim’s computer, terminate arbitrary processes, and execute commands on the compromised device.

A common thread linking these two pieces of malware is the use of the “linkpc[.]net” domains for their C2 servers. Experts believe both malicious programs are the work of the Lazarus Group and its BlueNoroff subdivision.

North Korea, through units such as the Lazarus Group, continues to deliberately target companies in the cryptocurrency industry to steal digital currencies, thereby circumventing international sanctions that hinder the development of their economy, Elastic noted.

New data provided by Kandji reveals that TodoSwift is distributed as a signed file named TodoTasks, which includes a loader component. This graphical application, written in SwiftUI, is designed to display a PDF document while covertly downloading and executing a secondary malicious component, closely mirroring the technique used in RustBucket.

The PDF file used to lure victims is an innocuous Bitcoin document hosted on Google Drive, while the malicious payload is downloaded from a domain controlled by the attackers. This malware is intended to collect system information and launch additional malicious software.

Upon installation, TodoSwift gathers data about the device, including the operating system version and hardware model, and communicates with the C2 server via an API, also writing data to an executable file on the device.

The use of a Google Drive URL and the transmission of the C2 server URL as a launch argument for the second stage of the malware aligns with previous North Korean hacker attacks on macOS systems.

This incident underscores the need for constant vigilance in the digital world. Cybercriminals are continuously refining their methods, employing sophisticated techniques and disguising malware as benign applications.

Users and organizations should critically evaluate any new software, regularly update security systems, and conduct cybersecurity training. Only a comprehensive approach to protection can effectively counter the growing threats in today’s technological landscape.