Ddos 
Cybersecurity researchers at SentinelOne have uncovered new macOS malware variants attributed to North Korean threat actors, expanding upon the previously identified ‘Ferret’ family. Dubbed ‘FlexibleFerret,’ these newly discovered samples highlight the evolving tactics used in espionage campaigns targeting professionals and developers through fake job interview schemes.
Last week, Apple pushed a signature update to its on-device malware tool, XProtect, to block several variants of the macOS Ferret malware family. According to the SentinelOne report, “Apple’s signature update last week targets some of the components of this malware campaign, including a backdoor that masquerades as an operating system file with the name com.apple.secd (aka FRIENDLYFERRET).”
The report notes that these malware samples were originally associated with the ‘Contagious Interview’ campaign, where North Korean attackers trick victims into downloading malicious software under the guise of job interview preparation. Targets are typically asked to install fake tools like ‘VCam’ or ‘CameraAccess’ to proceed with their interview, unknowingly infecting their macOS devices.
Despite Apple’s efforts, SentinelOne researchers found new samples that remain undetected by XProtect. The malware, named ‘FlexibleFerret,’ is a refined evolution of previous FERRET malware strains. Researchers state, “Prior to Apple pushing XProtect version 5286, SentinelLABS had been tracking the malware identified by previous researchers and analysing a variant of the ChromeUpdate samples with the identifier Mac-Installer.InstallerAlert.”
Unlike earlier versions, this variant is signed with a legitimate but now-revoked Apple Developer ID, enabling it to bypass Gatekeeper protections. The FlexibleFerret dropper, distributed as an Apple Installer package named versus.pkg, contains multiple payloads, including InstallerAlert.app and a disguised binary called zoom, which communicates with the command-and-control (C2) domain zoom.callservice[.]us (not affiliated with the legitimate Zoom service).
FlexibleFerret employs several persistence mechanisms to evade detection and maintain access. The report describes how the malware drops a persistence item in the user’s Library LaunchAgents folder under the name com.zoom.plist, masquerading as a legitimate Zoom service. It further executes a post-installation script to log activity while deceiving victims with an alert message stating, “This file is damaged and cannot be opened,” a technique used to trick users into believing the software failed to run.
Execution of FlexibleFerret noisily leaves a log in /private/tmp/, indicating the attack’s reliance on scripted installation techniques and post-install logs for debugging.
Researchers identified clear overlaps between FlexibleFerret and other DPRK-backed operations, including the ‘Hidden Risk’ campaign. “Perhaps unsurprisingly, indicators present in the FERRET family of malware overlap with indicators seen in other DPRK campaigns, including the Hidden Risk campaign described recently by SentinelLABS,” the report confirms. The malware also uses Dropbox for data exfiltration and api.ipify.org to identify the host’s public IP address.
Additionally, researchers observed North Korean threat actors expanding their attack surface beyond job seekers, targeting GitHub developers through fake issue comments containing malicious links. “A threat actor tries to trick GitHub users into downloading FERRET malware,” the report warns.
Donate