Cybersecurity researchers have exposed a brand new macOS malware pressure dubbed TodoSwift that they are saying shows commonalities with identified malicious tool utilized by North Korean hacking teams.
“This utility stocks a number of behaviors with malware we now have noticed that originated in North Korea (DPRK) — particularly the risk actor referred to as BlueNoroff — comparable to KANDYKORN and RustBucket,” Kandji safety researcher Christopher Lopez mentioned in an research.
RustBucket, which first got here to gentle in July 2023, refers to an AppleScript-based backdoor that is able to fetching next-stage payloads from a command-and-control (C2) server.
Past due ultimate 12 months, Elastic Safety Labs additionally exposed some other macOS malware tracked as KANDYKORN that used to be deployed in reference to a cyber assault concentrated on blockchain engineers of an unnamed cryptocurrency change platform.
Delivered by the use of a complicated multi-stage an infection chain, KANDYKORN possesses functions to get entry to and exfiltrate information from a sufferer’s pc. Additionally it is designed to terminate arbitrary processes and execute instructions at the host.
A commonplace trait that connects the 2 malware households lies in the usage of linkpc[.]web domain names for C2 functions. Each RustBucket and KANDYKORN are assessed to be the paintings of a hacking workforce referred to as the Lazarus Staff (and its sub-cluster referred to as BlueNoroff).
“The DPRK, by way of devices just like the Lazarus Staff, continues to focus on crypto-industry companies with the purpose of stealing cryptocurrency with a view to circumvent world sanctions that obstruct the expansion in their financial system and ambitions,” Elastic mentioned on the time.
“On this intrusion, they centered blockchain engineers lively on a public chat server with a entice designed to talk to their abilities and pursuits, with the underlying promise of monetary achieve.”
The newest findings from the Apple software control and safety platform display that TodoSwift is shipped within the type of a signed record named TodoTasks, which is composed of a dropper element.
This module is a GUI utility written in SwiftUI that is engineered to show a weaponized PDF report to the sufferer, whilst covertly downloading and executing a second-stage binary, a method hired in RustBucket as smartly.
The entice PDF is a risk free Bitcoin-related report hosted on Google Power, while the malicious payload is retrieved from an actor-controlled area (“buy2x[.]com”). Additional investigation into the precise specifics of the binary stays ongoing.
“The usage of a Google Power URL and passing the C2 URL as a release argument to the degree 2 binary is in keeping with earlier DPRK malware affecting macOS techniques,” Lopez mentioned.