Vulnerability Management, Threat Intelligence, Malware

FlexibleFerret malware targets the macOS via North Korea job campaign

North Korea flag with circuitry and fingerprint

(Adobe Stock Images)

A newly discovered malware strain has been identified that’s been used as part of the ongoing North Korean Contagious Interview campaign, in which threat actors lure victims to install malware through the job interview process.

The new malware strain, FlexibleFerret, was explained in a Feb. 3 blog by SentinelOne researchers Phil Stokes and Tom Hegel.

According to the SentinelOne researchers, Apple last week pushed a signature update to its on-device malware tool XProtect to block several variants of what it called the macOS Ferret family:

  • FROSTYFERRET_UI
  • FRIENDLYFERRET_SECD
  • MULTI_FROSTYFERRET_CMDCODES.

Phil Stokes, one of the threat researcher from SentinelLabs who wrote the report, said Flexible Ferret, the new variant detailed in the research, currently remains undetected by Apple’s XProtect.

“Some components of the FERRET family including FlexibleFerret are not blocked by XProtect,” said Stokes. “However, other mechanisms such as revoked developer cert may help for specific samples. In general, security teams should ensure they have a solution that blocks the list of IoCs in our post independently of Apple’s mechanisms to ensure adequate protection.”

Boris Cipot, senior security engineer at Black Duck, said as the numbers of MacOS users grew, so has the interest for the platform, and therefore more attacks surfaced. Cipot said because MacOS devices are also popular in development circles, management, and other high-end company places, the interest for the platform was further natured.

“There are different threat actor groups that are interested in MacOS,” said Cipot. “Some are after the financial gain, where other groups have more focus on espionage, disruption, and surveillance. Most prominent are groups from North Korea, China and Russia. What we can see is that the newest campaign is a further evolvement of the FERRET malware family as these threat actors are trying to fine-tune their techniques of bypassing security measures.”

While they are not the only ones that target the macOS, SentinelOne’s Stokes said DPRK-aligned threat actors are certainly the busiest or at least most visible in their attempts to infect a wide range of targets with backdoors through macOS malware.

“If you look at all their various campaigns over recent years, from backdoors for espionage to theft of cryptocurrency for financial gain, their objectives are quite broad, and they certainly appear to devote more resources to compromising macOS users than other adversaries we track at this time,” said Stokes.

Related

How to prepare for an effective web application penetration test 

At a time when data breaches and cyberattacks dominate headlines, web application security is top on the minds of IT leaders. By performing regular web application pen tests, possible vulnerabilities can be uncovered and steps taken to fortify your defenses. In this post, we'll discuss the importance of preparing for a pen test, the items that should be on your pen test checklist, and how to foster close collaboration with your pen testing team. 

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BackdoorBrute ForceBusiness Email Compromise (BEC)CorruptionCovert ChannelsDNS SpoofingData MiningDefacementDictionary AttackReconnaissance

You can skip this ad in 5 seconds