Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Blockchain Engineers Find Themselves at the Epicenter of Hackers Interests.
Cybersecurity researchers have discovered a new macOS malware called TodoSwift, which they believe shares similarities with known malware used by hacker groups from North Korea.
As noted by Christopher Lopez, a security researcher at Kandji, the TodoSwift application shows clear similarities with other malware, such as KANDYKORN and RustBucket, which is associated with the activity of the North Korean hacker group BlueNoroff, which is a division of the well-known Lazarus Group.
First identified by Elastic Security Labs in July 2023, RustBucket is an AppleScript-based backdoor that is capable of downloading additional malicious components from a command and control (C2) server. And in November of the same year, researchers discovered another malicious software for macOS called KANDYKORN, which was used in a cyberattack on blockchain engineers.
Spread through a complex, multi-stage chain of infection, KANDYKORN has the ability to access and exfiltrate data from the victim's computer. It can terminate arbitrary processes and execute commands on the infected device.
A common feature that connects these two malware is the use of the "linkpc[.]net" for C2 servers. Both malware, according to experts, is the product of the activities of the Lazarus group and its BlueNoroff division.
North Korea, using units such as the Lazarus Group, continues to target companies operating in the crypto industry in order to steal cryptocurrencies to circumvent international sanctions that hinder the development of their economy, Elastic noted.
New data provided by Kandji shows that TodoSwift is distributed as a signed file called TodoTasks, which includes a loader component. This graphical application, written in SwiftUI, is designed to display a PDF document while secretly loading and executing a second malicious component, which strongly resembles the technique used in RustBucket.
The PDF used to lure victims is an innocuous document about Bitcoin hosted on Google Drive, while the malicious payload is downloaded from a domain controlled by the attackers. This malware is designed to collect system information and run additional malware.
Once installed, TodoSwift collects device data, including operating system version and hardware model, and communicates with the C2 server via an API, also writing data to an executable file on the device.
Using the Google Drive URL and passing the URL of the C2 server as the launch argument for the second stage of the malware is consistent with previous attacks by North Korean hackers on macOS systems.
This case highlights the need for permanent vigilance in the digital world. Cybercriminals are constantly improving their methods, using sophisticated techniques and disguising malware as harmless applications.
Users and organizations should be critical of any new software, regularly update their security systems, and provide cybersecurity training. Only a comprehensive approach to protection can effectively counter the growing threats in today's technological landscape.
Source
Cybersecurity researchers have discovered a new macOS malware called TodoSwift, which they believe shares similarities with known malware used by hacker groups from North Korea.
As noted by Christopher Lopez, a security researcher at Kandji, the TodoSwift application shows clear similarities with other malware, such as KANDYKORN and RustBucket, which is associated with the activity of the North Korean hacker group BlueNoroff, which is a division of the well-known Lazarus Group.
First identified by Elastic Security Labs in July 2023, RustBucket is an AppleScript-based backdoor that is capable of downloading additional malicious components from a command and control (C2) server. And in November of the same year, researchers discovered another malicious software for macOS called KANDYKORN, which was used in a cyberattack on blockchain engineers.
Spread through a complex, multi-stage chain of infection, KANDYKORN has the ability to access and exfiltrate data from the victim's computer. It can terminate arbitrary processes and execute commands on the infected device.
A common feature that connects these two malware is the use of the "linkpc[.]net" for C2 servers. Both malware, according to experts, is the product of the activities of the Lazarus group and its BlueNoroff division.
North Korea, using units such as the Lazarus Group, continues to target companies operating in the crypto industry in order to steal cryptocurrencies to circumvent international sanctions that hinder the development of their economy, Elastic noted.
New data provided by Kandji shows that TodoSwift is distributed as a signed file called TodoTasks, which includes a loader component. This graphical application, written in SwiftUI, is designed to display a PDF document while secretly loading and executing a second malicious component, which strongly resembles the technique used in RustBucket.
The PDF used to lure victims is an innocuous document about Bitcoin hosted on Google Drive, while the malicious payload is downloaded from a domain controlled by the attackers. This malware is designed to collect system information and run additional malware.
Once installed, TodoSwift collects device data, including operating system version and hardware model, and communicates with the C2 server via an API, also writing data to an executable file on the device.
Using the Google Drive URL and passing the URL of the C2 server as the launch argument for the second stage of the malware is consistent with previous attacks by North Korean hackers on macOS systems.
This case highlights the need for permanent vigilance in the digital world. Cybercriminals are constantly improving their methods, using sophisticated techniques and disguising malware as harmless applications.
Users and organizations should be critical of any new software, regularly update their security systems, and provide cybersecurity training. Only a comprehensive approach to protection can effectively counter the growing threats in today's technological landscape.
Source
