Analysis Summary

Cybersecurity researchers have identified a new macOS malware strain named TodoSwift, which shows similarities to malicious software linked to North Korean threat groups, particularly the Lazarus Group and its sub-cluster, BlueNoroff.

The malware shares behaviors with other known threats like KANDYKORN and RustBucket, previously attributed to these actors. RustBucket, discovered in July 2023, is an AppleScript-based backdoor capable of downloading additional payloads from a command-and-control (C2) server. Similarly, KANDYKORN, revealed in late 2023, was used to target blockchain engineers at a cryptocurrency exchange with abilities to exfiltrate data and execute arbitrary commands.

According to the researchers, the key connection between RustBucket and KANDYKORN is their use of the same domain for C2 operations, suggesting they originate from the same hacking group. The Lazarus Group and BlueNoroff are known for targeting cryptocurrency businesses to steal digital assets to evade international sanctions impacting North Korea's economy. The attack strategies involve sophisticated social engineering where victims are lured with promises of financial gain, exploiting their professional interests.

The newly discovered TodoSwift malware is distributed as a TodoTasks application, a GUI tool built with SwiftUI. It tricks the victim by displaying a benign PDF document related to Bitcoin, while secretly downloading and executing a second-stage binary, a tactic also used in RustBucket. This malicious payload is hosted on an actor-controlled domain buy2x[.]com and retrieved during the application's operation. The initial document is hosted on Google Drive, a method consistent with previous DPRK-associated malware.

Researchers note that the exact details of the second-stage binary are still under investigation, but the use of a Google Drive URL and the passing of the C2 URL as a launch argument are techniques previously observed in macOS malware linked to North Korean actors. This finding underscores the continued targeting of the crypto industry by DPRK-affiliated hackers, aiming to steal cryptocurrency as a means to bolster their nation's financial standing.

Impact

• Command Execution
• Data Exfiltration
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

MD5

• c64143eeb1a62c6d1ac0742263c692d8
• 73e7de61c40241cc39ce84934c9e65f3
• 9607e95d635831a1e43e40c665b077b8
• d37a8ff8653a577b87a617877e797b96

SHA-256

• f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93
• 9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3
• 9b839e9169babff1d14468d9f8497c165931dc65d5ff1f4b547925ff924c43fe
• c52e3e73d7870bf8edc1b9ae52b26c08ef2466f948ef3446b2c865fd53d859dd

SHA-1

• 67b2a61c7114c7110140d934399372338345f356
• c1a80bcd7283195eca0190dc3645b73482467ad4
• e17a10d05db73f77f69f74d5995d4023449f6980
• a1ac44621d57455f185ee5c1aa72a2cb3b659646

URL

• http://buy2x.com/OcMySY5QNkY/ABcTDInKWw/4SqSYtx+/EKfP7saoiP/BcA==
• https://drive.usercontent.google.com/download?id=1xflBpAVQrwIS3UQqynb8iEj6gaCIXczo

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.