Meet TodoSwift, a malicious application that masquerades as a PDF downloader. Crafted by the BlueNoroff threat group, TodoSwift leverages Apple’s Swift/SwiftUI to present a decoy PDF on Bitcoin while stealthily downloading a malevolent payload. Don’t be deceived! Stay informed about this cunning malware.
A new wave of malware and security vulnerabilities targeting macOS users has been discovered, this time disguised as a seemingly harmless, downloadable Bitcoin PDF. Researchers at Kandji have identified the malware, which they dubbed TodoSwift as it is written in Swift/SwiftUI.
Kandji’s report reveals that the malware is hidden in a file named TodoTasks, which was uploaded to VirusTotal on July 24th, 2024.
Further probing revealed that TodoTasks leverages a GUI application written in Swift/SwiftUI to disguise its malicious intent. The application presents itself as a tool for downloading and displaying PDFs. However, beneath the surface, TodoTasks employs a more nefarious purpose.
In reality, the malware secretly downloads and executes a secondary malicious program. This two-step approach makes it more challenging to detect, as the initial application may appear legitimate.
It all starts with creating a window controller object through the makeWindowControllers method, which is used to execute the malware’s malicious behaviour. The dropper then invokes a PDF presentation function, which retrieves two URLs from memory: one pointing to a Google Drive link and the other, suspected to be malicious.
The buildCurlCommand uses the callToCurl function to download the content, a PDF file called “Bitcoin Price Prediction Using Machine Learning.” The PDF appears harmless but serves as a decoy to distract the user. After presenting the PDF, the buildCurlCommand executes another curl command, likely triggering the download of the malicious payload from the second URL.
Researchers have attributed the malware to the North Korean threat actor group BlueNoroff based on similarities to previously observed malware, KandyKorn and RustBucket.
BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus and is known for its persistent targeting of financial institutions, cryptocurrency exchanges, and government entities. Lately, BlueNoroff has demonstrated a sophisticated capability to evade detection and execute complex cyberattacks.
In 2019, the US Treasury imposed sanctions on three North Korean cyber groups, Lazarus, Bluenoroff, and Andariel, for their cyber activities on critical infrastructure, alleging support for illicit weapon and missile programs. However, the group remains a persistent threat.
If you suspect you may have downloaded TodoSwift or similar malware, it’s recommended to run a comprehensive security scan on your device using a reputable antivirus program. Additionally, consider staying informed and practising safe browsing habits.
