FlexibleFerret Evolving Malware Targets Developers and Job Seekers

Summary

CRIL came across a blog stating that Apple recently updated its XProtect tool to block multiple macOS malware variants associated with the DPRK-attributed "Contagious Interview" campaign, which targets job seekers and developers. SentinelOne identified a new variant in the Ferret malware family called FlexibleFerret, which evades XProtect detection.

This malware uses fake installer packages and malicious persistence agents to exfiltrate data, often leveraging Dropbox and masquerading as legitimate applications like ChromeUpdate and Zoom.

Technical Detail

FlexibleFerret is an upgraded variant of the Ferret malware family associated with the North Korean-backed "Contagious Interview" campaign. Prior to Apple’s XProtect update (version 5286), this malware was concealed within an Apple Installer package called versus.pkg. The package contained malicious components, including InstallerAlert.app, versus.app, a fake zoom binary, and a postinstall.sh script. It was signed with a valid Apple Developer certificate, giving it the appearance of a legitimate application.

Infection flow

When versus.pkg is run, it gains elevated privileges and executes postinstall.sh, dropping malicious files into “/var/tmp/”. This script logs its progress in “/private/tmp/postinstall.log”. The fake zoom binary connects to a malicious domain zoom.callservice[.]us. At the same time, InstallerAlert.app tricks users by showing a fake macOS error message: “This file is damaged and cannot be opened” while it secretly installs malicious files in the background.

Persistence

The malware adds a LaunchAgent file “com.zoom.plist” in “~/Library/LaunchAgents/” pointing to a fake system component at “/private/var/tmp/logd”. While logd is a legitimate macOS process, this version is part of the malware. The actual payload couldn’t be retrieved as the C&C server was offline.

Connection to ChromeUpdate

The Mac-Installer.InstallerAlert binary in versus.pkg shares 86% of its code with ChromeUpdate, confirming it belongs to the same malware family. Unlike ChromeUpdate, this variant initially used a valid Apple Developer certificate, making detection more difficult until it was revoked.

Distribution Methods

While the original campaign targeted job seekers, FlexibleFerret has expanded its reach to developers on GitHub. Attackers open fake issues in real GitHub repositories, adding links to download malicious scripts like ffmpeg.sh. When developers follow these instructions, they unknowingly install the malware. Researchers observed several attempts to infect developers using this method.

Exfiltration and Network Activity

FlexibleFerret uses Dropbox to steal and send data back to attackers and “api.ipify.org” to check the infected machine’s public IP address. These tactics are commonly seen in other North Korean-linked campaigns, such as the Hidden Risk operation, indicating a shared strategy and codebase.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

1. Ensure that comprehensive endpoint protection solutions, such as antivirus or anti- malware software, are in place and regularly updated. Tools like XProtect and third- party security solutions can help detect and block malicious files, even those masquerading as legitimate applications.

2. Always download software from trusted sources, and be cautious of unsolicited links, especially during job interviews. Verify the digital signatures of installer packages and avoid executing files with invalid or revoked certificates.

3. Provide ongoing training to users and developers on recognizing phishing attacks and malicious software. Encourage awareness about suspicious activities, such as unexpected requests for software installations, and advise checking any suspicious links or emails before interacting with them.

Conclusion

The "Contagious Interview" campaign, utilizing the FERRET malware family, continues to target both job seekers and developers through evolving tactics. The introduction of FlexibleFerret, which bypasses detection with valid Apple Developer signatures, highlights the threat's adaptability. The use of platforms like GitHub and Dropbox for malware distribution and data exfiltration demonstrates the attackers' broad and persistent targeting strategies.