MacOS Ferret operators add a deceptive bite to their malware family

The macOS Ferret family, variants of malware used by North Korean APTs for cyber espionage, has received a new member as samples of a detection-resistant variant, Flexible-Ferret, appear in the wild.

The discovery of the samples was made by SentinelOne researchers who noted the variant’s capability to evade the recent XProtect signature update that Apple pushed to block Ferret infections.

“Unlike the previous samples, this malware was signed with a valid Apple Developer signature and Team ID,” said SentinelOne researchers in a blog post.

The macOS Ferret malware family is linked to the “Contagious Interview” campaign by DPRK-backed threat actors, where attackers trick targets into installing malware under the guise of a job interview process.

The Campaign dates as far back as November 2023, using several variants of the malware including FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. Apple had implemented protection against all these variants in the latest XProtect signature update.

FERRET is a sneaky click-fix

What typically happens in a Contagious Interview attack is that a target receives an interviewer contact that throws an error message with a prompt to install or update some seemingly important software, such as VCam, for the meeting.

As soon as the victim clicks on the action prompt, the executed binary (usually the JavaScript-based “BeaverTail” malware) runs a malicious shell script that installs a persistence agent in the local system, along with an executable posing as a Google Chrome update (labeled ChromeUpdate) which in reality is a Golang backdoor and stealer.

The Ferret malware is specifically designed for macOS systems, with variants targeted at macOS’s user interface (FROSTYFERRET_UI), security daemon (FRIENDLYFERRET_SECD), and command codes within the macOS environment (MULTI_FROSTYFERRET_CMDCODES).

In a comment to CSO, Boris Cipot, a senior security engineer at Black Duck, said, “There are different threat actor groups that are interested in MacOS, most prominent being the groups from North Korea, China, and Russia. What we can see is that the newest campaign is a further evolution of the FERRET malware family as these threat actors are trying to fine-tune their techniques of bypassing security measures.”

FlexibleFerret scurries past Apple protection

According to the researchers, Apple XProtect version 5286 aimed at blocking the Ferret variants isn’t flagging the new FlexibleFerret variant, at least until the publishing of their report on February 3.

During their continued analysis of the Ferret strain, SentinelLABs identified a variant of the ChromeUpdate, labeled as Mac-Installer.InstallerAlert. The installer stood out as it was signed with a valid Apple Developer ID and Team ID. Further investigation revealed other factors that placed the variant in the existing FERRET family.

The malware dropper, versus.pkg, contained two applications–InstallerAlert.app and versus.app, along with a deceiving standalone binary called “zoom” which on execution connected to an unrelated Zoom service domain, and elevated system privileges. Additionally, the InstallerAlert.app triggered an error message mimicking macOS Gatekeeper’s warning, while in the background it dropped a persistence agent.

The Mac-Installer, despite having an 86% code similarity with ChromeUpdate, wasn’t flagged by XProtect. It was only discovered by the team for using a revoked Developer ID, uncovering additional FlexibleFerret samples.

“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required,” researchers added. “Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appears to be more ‘scatter gun’ approaches via social media and code sharing sites like Github.”