TodoSwift Disguises Malware Download Behind Bitcoin PDF
Essential information
- Published
- 19/08/2024 13:35
- Modified
- 19/08/2024 13:59
- Tags
- 2024-08-19 cryptocurrency dropper kandykorn macos rustbucket todoswift
- Related entities
- 7 observables, 1 intrusion sets (apt), 9 techniques (mitre), 3 malware
Description
This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's tactics, such as using Google Drive URLs and passing command-and-control URLs as launch arguments, align with previous campaigns attributed to the DPRK-linked BlueNoroff group. The binary leverages NSTask objects to launch curl commands, download files, and ultimately deploy a second-stage payload.