{
  "name": "TodoSwift Disguises Malware Download Behind Bitcoin PDF",
  "slug": "todoswift-disguises-malware-download-behind-bitcoin-pdf",
  "description": "This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's tactics, such as using Google Drive URLs and passing command-and-control URLs as launch arguments, align with previous campaigns attributed to the DPRK-linked BlueNoroff group. The binary leverages NSTask objects to launch curl commands, download files, and ultimately deploy a second-stage payload.",
  "published": "2024-08-19T11:35:06+00:00",
  "created_at": "2024-08-19T11:35:06+00:00",
  "modified_at": "2024-08-19T11:59:51+00:00",
  "created_at_opencti": "2024-08-19T11:35:06+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-08-19",
    "cryptocurrency",
    "dropper",
    "kandykorn",
    "macos",
    "rustbucket",
    "todoswift"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "buy2x.com"
      },
      {
        "id": "",
        "name": "f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93"
      },
      {
        "id": "",
        "name": "e09d2277a19dddd751edb164bde064682a6acc41a7ee178a2dacd4f9ac357fc7"
      },
      {
        "id": "",
        "name": "c52e3e73d7870bf8edc1b9ae52b26c08ef2466f948ef3446b2c865fd53d859dd"
      },
      {
        "id": "",
        "name": "a55029c963ff454e42483b9b6f0293dc546e06b2fb71e6ebaa4c6f146a9906a3"
      },
      {
        "id": "",
        "name": "9b839e9169babff1d14468d9f8497c165931dc65d5ff1f4b547925ff924c43fe"
      },
      {
        "id": "",
        "name": "9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:91f72441e9f55aa4",
        "name": "TodoSwift",
        "slug": "todoswift"
      },
      {
        "id": "legacy:malware:036e53e0133a0fdf",
        "name": "KandyKorn",
        "slug": "kandykorn"
      },
      {
        "id": "legacy:malware:4981b257a58aecdf",
        "name": "RustBucket",
        "slug": "rustbucket"
      }
    ],
    "intrusion_sets": [
      {
        "id": "legacy:intrusion:3578bfbcb288da87",
        "name": "BlueNoroff",
        "slug": "bluenoroff"
      }
    ],
    "attack_patterns": [
      {
        "id": "cf17b23e-3eec-4719-afee-86f6eef708ab",
        "name": "T1024"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf",
    "https://otx.alienvault.com/pulse/66c34a0a0063bb52925acf43"
  ]
}