A new variant of malware, known as FlexibleFerret, has been identified targeting macOS users while evading detection by Apple’s XProtect tool.
This malware is part of a broader campaign attributed to North Korean threat actors, who have been using sophisticated tactics to lure victims into installing malicious software.
The Ferret family of malware, including variants like FROSTYFERRET_UI and FRIENDLYFERRET_SECD, was first reported in December 2023.
These malware components are associated with the “Contagious Interview” campaign, where threat actors trick job seekers into installing malware by masquerading it as necessary software for virtual interviews.
FlexibleFerret Malware Components (Source – SentinelOne)
Besides this, cybersecurity experts at SentinelOne discovered that Apple recently updated XProtect to block some of these variants, but FlexibleFerret remains undetected.
FlexibleFerret Analysis
FlexibleFerret is distributed through an Apple Installer package named versus.pkg, which contains several malicious components, including InstallerAlert.app, versus.app, and a standalone binary called zoom.
Postinstall Script Execution (Source – SentinelOne)
The postinstall.sh script is used to execute these components after installation, logging its progress to /tmp/postinstall.log.
# Log the start of the script echo “$(date): Running post-installation script…” >> /tmp/postinstall.log # Check if the zoom file exists and execute it if [ -f /var/tmp/zoom ]; then echo “$(date): Zoom file exists, executing…” >>/tmp/postinstall.log /var/tmp/zoom >> /tmp/postinstall.log 2>&1 & else echo “$(date): Zoom file not found” >> /tmp/postinstall.log fi
The fake zoom binary communicates with the domain zoom.callservice[.]us, which is not a legitimate Zoom domain.
Meanwhile, InstallerAlert.app tricks users into thinking it’s a legitimate application by displaying an error message, while secretly installing a persistence item in the User’s Library LaunchAgents folder with the label com.zoom.plist.
InstallerAlert Error Message (Source – SentinelOne)
The Contagious Interview campaign has expanded beyond targeting job seekers to include developers on platforms like GitHub. Threat actors are using fake issues on legitimate repositories to distribute malware droppers.
Users are advised to be cautious when installing software from untrusted sources and to keep their security software updated.
Indicators of Compromise (IoCs)
- versus.pkg: 388ac48764927fa353328104d5a32ad825af51ce
- InstallerAlert Mach-Os: 1a28013e4343fddf13e5c721f91970e942073b88, 3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5, 76e3cb7be778f22d207623ce1907c1659f2c8215
