216.73.216.133

TodoSwift Disguises Malware Download Behind Bitcoin PDF

· Published 19/08/2024 13:35 · Modified 19/08/2024 13:59

Export JSON

Essential information

Published
19/08/2024 13:35
Modified
19/08/2024 13:59
Tags
2024-08-19 cryptocurrency dropper kandykorn macos rustbucket todoswift
Related entities
7 observables, 1 intrusion sets (apt), 9 techniques (mitre), 3 malware

Description

This report details a threat actor likely originating from North Korea that employs a application written in Swift/SwiftUI. The presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's tactics, such as using Google Drive URLs and passing command-and-control URLs as launch arguments, align with previous campaigns attributed to the DPRK-linked BlueNoroff group. The binary leverages NSTask objects to launch curl commands, download files, and ultimately deploy a second-stage payload.

External references