Researchers discovered new variants of a macOS malware family that state-sponsored North Korean threat actors have used in threat campaigns involving fake job interviews.
SentinelOne, in a Monday blog post, revealed "FlexibleFerret," a new type of macOS malware not currently detected by Apple's security software. SentinelLabs researchers said FlexibleFerret is part of an active threat campaign dubbed "Contagious Interview" in which North Korean threat actors use job interviews to trick targeted individuals into downloading the malware.
"Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or CameraAccess for virtual meetings," SentinelLabs researchers wrote in the blog post.
Ferrett malware was first documented by cybersecurity vendors in December, according to SentinelOne. Apple addressed several variants of the macOS malware family in a signature update for XProtect last week. However, the North Korean threat actors adapted to the update by deploying FlexibleFerret, which is not detected by XProtect.
Additionally, SentinelLabs researchers noted that unlike other variants of the macOS malware family, FlexibleFerret was signed with a valid Apple Developer signature and Team ID, and contains other elements that make it appear to be legitimate software. Both the signature and Team ID have been revoked, according to SentinelLabs.
The Contagious Interview campaign, which has been ongoing since November 2023, targets both employers and software developers with postings on job search platforms and forums. The state-sponsored threat actors behind the attacks typically pose as prospective employers and try to lure in developers with fake job interviews. Once a victim clicks on a malicious link presented by the interviewer, FlexibleFerret infects the victim's host with a backdoor that could give the threat actors access to the victim's current employer.
GitHub Targets
SentinelLabs researchers observed the latest iteration of this campaign targeting users of GitHub by opening fake issues in legitimate repositories.
"Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appears to be more scatter gun' approaches via social media and code sharing sites like Github," they wrote.
Phil Stokes, senior researcher at SentinelLabs and co-author of the blog post, said that while XProtect does not yet detect FlexibleFerret, Apple has apparently taken steps to address the new malware.
"At this time, XProtect does not contain a rule for FlexibleFerret. One of the significant differences between FlexibleFerret and the other malware identified by Apple's Ferret rules is that FlexibleFerret was signed with an Apple Developer ID," Stokes said. "That cert had already been revoked by Apple at time we went to press, indicating that Apple is aware of this developer."
Stokes added that SentinelLabs has observed an increase in macOS malware over the last year.
The Contagious Interview activity is the latest example of North Korean state-sponsored threat actors attacking enterprises and developers through job-focused campaigns. In 2022, the FBI warned that threat actors were posing as non-North Korean nationals using deepfake technology and attempting to gain employment as IT personnel and software developers at Western companies.
If hired, the North Korean threat actors would use the access to steal sensitive data and intellectual property. U.S. authorities and cybersecurity vendors have urged enterprise and government employers to use caution when interviewing prospective employees and to take extra measures to verify identities.
