A new macOS malware strain named TodoSwift has been discovered [1] [2] [3] [4], with connections to North Korean hacking groups BlueNoroff and Lazarus Group.
Description
Similar to known malware strains KANDYKORN and RustBucket, TodoSwift is distributed as a signed file called TodoTasks [1] [3]. It contains a dropper component that downloads and executes a second-stage binary [1] [3] [4]. TodoSwift uses a Google Drive URL to host a lure PDF document and retrieves the malicious payload from the domain buy2x[. [3]]com. Like KANDYKORN [1] [2] [3] [4], TodoSwift passes the C2 URL as a launch argument to the second-stage binary [2] [6], a technique consistent with previous DPRK macOS malware [1] [3] [4] [5]. Security researchers have linked TodoSwift to threats like BlueNoroff, KANDYKORN [1] [2] [3] [4] [5] [6], and RustBucket [1] [2] [3] [4] [5] [6], indicating a connection to the Lazarus Group.
Conclusion
Users are advised to remove the TodoTasks tool and conduct a security scan on their devices to mitigate the risks associated with TodoSwift. The discovery of this malware strain highlights the ongoing threat posed by North Korean hacking groups and the importance of staying vigilant against cyber threats.
References
[1] https://vulners.com/thn/THN:324DCD94216A94F9F7D172CDFA50DCE7
[2] https://cyber.vumetric.com/security-news/2024/08/21/new-macos-malware-todoswift-linked-to-north-korean-hacking-groups/
[3] https://thehackernews.com/2024/08/new-macos-malware-todoswift-linked-to.html
[4] https://f5.pm/go-257372.html
[5] https://islainformatica.com/el-nuevo-malware-todoswift-para-macos-esta-vinculado-a-grupos-de-piratas-informaticos-de-corea-del-norte/
[6] https://tecmania.com.br/novo-malware-macos-todoswift-vinculado-a-grupos-de-hackers-norte-coreanos/
