macOS FlexibleFerret - Further variants of North Korean malware family unearthed

This DPRK-attributed malware family was first described by researchers in December and further in early January and identified as part of the North Korean Contagious Interview campaign, in which threat actors lure targets to install malware through the job interview process.

A FERRET family background

Previous researchers have described several malware components associated with the Contagious Interview campaign. Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or CameraAccess for virtual meetings.

In previous reports, the observed malware ran a malicious shell script and installed a persistence agent and executable masquerading as a Google Chrome update.

Apple's signature update last week targets some of the components of this malware campaign, including a backdoor that masquerades as an operating system file with the name com.apple.secd (aka FRIENDLYFERRET) along with the ChromeUpdate and CameraAccess persistence modules (aka FROSTYFERRET_UI).

Perhaps unsurprisingly, indicators present in the FERRET family of malware overlap with indicators seen in other DPRK campaigns, including the Hidden Risk campaign described recently by SentinelLABS.

Conclusion

The ‘Contagious Interview' campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required. Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appears to be more ‘scatter gun' approaches via social media and code sharing sites like Github.

Along with industry peers, SentinelLABS continues to track and publicise this activity to help raise awareness and protect users.