TodoSwift Disguises Malware Download Behind Bitcoin PDF
Contents
TodoSwift Disguises Malware Download Behind Bitcoin PDF
A signed file named TodoTasks was uploaded to VirusTotal on 2024-07-24. This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK)—specifically the threat actor known as BlueNoroff—such as KandyKorn and RustBucket; given these commonalities, we believe this new malware—which we’re dubbing TodoSwift—is likely from the same source.
In this post, we wanted to focus particularly on the malware’s dropper, a GUI application that’s written in Swift/SwiftUI. Under the guise of downloading and presenting a PDF to the user, it simultaneously downloads and executes a malicious stage 2 binary.
TodoTasksDocument makeWindowControllers]
We will start by looking at how that application presents that PDF to the user.
It begins with a call to
makeWindowControllers, since this sets up the application’s malicious behavior. According to Apple, this method ”creates the window controller objects that the document uses to display its content.” In this case, the application sends …
A signed file named TodoTasks was uploaded to VirusTotal on 2024-07-24. This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK)—specifically the threat actor known as BlueNoroff—such as KandyKorn and RustBucket; given these commonalities, we believe this new malware—which we’re dubbing TodoSwift—is likely from the same source.
In this post, we wanted to focus particularly on the malware’s dropper, a GUI application that’s written in Swift/SwiftUI. Under the guise of downloading and presenting a PDF to the user, it simultaneously downloads and executes a malicious stage 2 binary.
TodoTasksDocument makeWindowControllers]
We will start by looking at how that application presents that PDF to the user.
It begins with a call to
makeWindowControllers, since this sets up the application’s malicious behavior. According to Apple, this method ”creates the window controller objects that the document uses to display its content.” In this case, the application sends …
IoC
f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93
9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3
f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93
9b839e9169babff1d14468d9f8497c165931dc65d5ff1f4b547925ff924c43fe
c52e3e73d7870bf8edc1b9ae52b26c08ef2466f948ef3446b2c865fd53d859dd
e09d2277a19dddd751edb164bde064682a6acc41a7ee178a2dacd4f9ac357fc7
https://drive.usercontent.google.com/download?id=1xflBpAVQrwIS3UQqynb8iEj6gaCIXczo
http://buy2x.com/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/BcA%3D%3D
9623c98f7338d56b07b35cd379e31e685e32a9c5317d7bc4af5276916cef4ed3
f1b3ce96462027644f9caa314d3da745dab139ee1cb14fe508234e76bd686f93
9b839e9169babff1d14468d9f8497c165931dc65d5ff1f4b547925ff924c43fe
c52e3e73d7870bf8edc1b9ae52b26c08ef2466f948ef3446b2c865fd53d859dd
e09d2277a19dddd751edb164bde064682a6acc41a7ee178a2dacd4f9ac357fc7
https://drive.usercontent.google.com/download?id=1xflBpAVQrwIS3UQqynb8iEj6gaCIXczo
http://buy2x.com/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/BcA%3D%3D