macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
Summary:
Apple recently updated its XProtect malware tool to block several variants of the macOS Ferret family—FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. This malware family was first uncovered by researchers in late 2024 and early 2025 as part of the Contagious Interview campaign, where attackers trick targets into installing malware through a fake job interview process. Targets in the Contagious Interview campaign are tricked into communicating with an interviewer (typically via LinkedIn) through a link that leads to an error message and prompts them to install or update software like VCam or CameraAccess for virtual meetings.
According to researchers at SentinelOne, previous reports revealed that the malware ran a malicious shell script, installed a persistence agent, and executed a fake Google Chrome update. Apple’s recent signature update addresses several components of this malware, including a backdoor masquerading as an operating system file (com.apple.secd, aka FRIENDLYFERRET) and persistence modules like ChromeUpdate and CameraAccess (aka FROSTYFERRET_UI).
SentinelOne says that it also identified a new set of malware artifacts called FlexibleFerret, which establishes persistence on infected macOS systems via a LaunchAgent. This malware is distributed via a package named InstallerAlert, which functions similarly to FROSTYFERRET_UI. Currently, SentinelOne notes that FlexibleFerret remains undetected by XProtect.
Security Officer Comments:
The end goal of the Contagious Interview campaign is to drop infostealers such as BeaverTail, which is capable of harvesting data from web browsers and cryptocurrency wallets. The threat actors behind this campaign, which began as early as November 2023, appear to be broadening their targeting beyond job seekers to include developers. SentineLabs has observed attempts to compromise developers through the ffmpeg[.]sh installer script, with attackers posting fake issues on legitimate repositories. In one instance in late December, 2024, a commenter left instructions leading to the download of FERRET family droppers, indicating a deliberate attempt by operators to expand the malware’s distribution vectors.
Suggested Corrections:
https://www.sentinelone.com/blog/ma...er-variants-of-dprk-malware-family-unearthed/
Apple recently updated its XProtect malware tool to block several variants of the macOS Ferret family—FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. This malware family was first uncovered by researchers in late 2024 and early 2025 as part of the Contagious Interview campaign, where attackers trick targets into installing malware through a fake job interview process. Targets in the Contagious Interview campaign are tricked into communicating with an interviewer (typically via LinkedIn) through a link that leads to an error message and prompts them to install or update software like VCam or CameraAccess for virtual meetings.
According to researchers at SentinelOne, previous reports revealed that the malware ran a malicious shell script, installed a persistence agent, and executed a fake Google Chrome update. Apple’s recent signature update addresses several components of this malware, including a backdoor masquerading as an operating system file (com.apple.secd, aka FRIENDLYFERRET) and persistence modules like ChromeUpdate and CameraAccess (aka FROSTYFERRET_UI).
SentinelOne says that it also identified a new set of malware artifacts called FlexibleFerret, which establishes persistence on infected macOS systems via a LaunchAgent. This malware is distributed via a package named InstallerAlert, which functions similarly to FROSTYFERRET_UI. Currently, SentinelOne notes that FlexibleFerret remains undetected by XProtect.
Security Officer Comments:
The end goal of the Contagious Interview campaign is to drop infostealers such as BeaverTail, which is capable of harvesting data from web browsers and cryptocurrency wallets. The threat actors behind this campaign, which began as early as November 2023, appear to be broadening their targeting beyond job seekers to include developers. SentineLabs has observed attempts to compromise developers through the ffmpeg[.]sh installer script, with attackers posting fake issues on legitimate repositories. In one instance in late December, 2024, a commenter left instructions leading to the download of FERRET family droppers, indicating a deliberate attempt by operators to expand the malware’s distribution vectors.
Suggested Corrections:
- Be vigilant when job recruiters ask you to perform tasks or download applications, especially if these involve executable files.
- Always verify that the companies and recruiters offering job interviews are genuine and properly established
- Be cautious with links and attachments in unsolicited emails or messages claiming to be from recruiters or companies
- Use up-to-date antivirus and anti-malware software to scan any files or applications before opening them.
- Developers should avoid interacting with untrusted comments or issues posted on repositories, and refrain from downloading any software or scripts from suspicious sources.
- Regularly monitor and audit repositories for unusual activity, such as fake issues or links, and ensure that access controls and permissions are strictly enforced.
https://www.sentinelone.com/blog/ma...er-variants-of-dprk-malware-family-unearthed/