Apple has recently released a new patch for its on-device malware tool, aiming to block variants of malware associated with the macOS Ferret family. This move comes in response to a North Korean campaign known as “Contagious Interview,” where threat actors trick targets into installing malware under the guise of fake job interviews.
The malware, which includes variants like FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES, was first identified by researchers in December 2024 and has resurfaced in January as part of the ongoing campaign. Targets are tricked into communicating with an alleged interviewer through a link that prompts them to download software supposedly necessary for virtual meetings.
Once the software is installed, it executes a malicious shell script, installs a persistence agent, and impersonates a Google Chrome update. The attack chain ultimately deploys JavaScript-based malware named “BeaverTail,” which then delivers a Python backdoor known as InvisibleFerret. This backdoor is designed to extract sensitive data from web browsers and cryptocurrency wallets on the infected devices.
Recent findings from researchers at SentinelOne shed light on a previously undetected component of the malware called “FlexibleFerret,” which remained hidden from XProtect until at least Feb. 3. This discovery suggests that the threat actors behind the campaign are continuously refining their tactics to avoid detection. The origins of FlexibleFerret date back to November 2023, indicating a prolonged and evolving threat landscape.
In late December, the SentinelOne researchers documented a case where a commenter provided instructions that led to the download of Ferret family droppers. This incident hints at the threat actors’ willingness to expand their reach beyond targeting job seekers to a broader audience, potentially including developers and other unsuspecting individuals.
The emergence of FlexibleFerret underscores the need for constant vigilance and updated security measures to combat evolving malware threats. As cybercriminals persist in refining their tactics, organizations and individuals must stay informed and proactive in safeguarding their systems and data from malicious attacks. Apple’s proactive approach in releasing signature updates to XProtect is a step in the right direction, but continued collaboration between cybersecurity researchers, industry stakeholders, and law enforcement is needed to stay ahead of sophisticated threat actors.