In a concerning escalation of macOS-targeted cyberattacks, researchers have unearthed a new variant of the notorious DPRK-attributed malware family, dubbed “FlexibleFerret.”
This malware is part of the advanced “Contagious Interview” campaign, which has been linked to North Korean threat actors and was first identified in late 2023.
FlexibleFerret reportedly bypasses Apple’s native malware defense system, XProtect, leaving macOS users vulnerable to sophisticated attack vectors.
Disguised Persistence
FlexibleFerret represents an evolution of earlier “Ferret” malware components, such as FRIENDLYFERRET_SECD and FROSTYFERRET_UI, which masqueraded as legitimate software or system files.
These malware variants gained attention for their ability to exploit social engineering tactics, often targeting job seekers or developers on platforms like GitHub.
Victims were commonly lured into downloading malicious files through job-related communications or fake software updates.
The FlexibleFerret campaign employs a dropper package called “versus.pkg,” which contains deceptive binaries, including a fake Zoom installer and a suspicious app named InstallerAlert.
Upon execution, the installer elevates privileges, drops malicious files into the system’s temporary directories (/var/tmp), and initiates a persistence mechanism disguised in the user’s LaunchAgents folder.
Notably, XProtect fails to detect or block these components, making them particularly dangerous.
Researchers revealed that the malicious InstallerAlert binary shares an 86% code similarity with ChromeUpdate, another malware variant linked to the same campaign.
However, FlexibleFerret’s binaries were signed using a legitimate Apple Developer ID now revoked which initially allowed the malware to evade security checks.
Social Engineering
The attackers behind FlexibleFerret appear to be diversifying their methods by targeting not only job seekers but also the broader developer community.
SentinelOne report indicate that threat actors have been posting fake issues on GitHub repositories, encouraging developers to download infected packages.
This shift from targeted campaigns to a more scattergun approach highlights the group’s adaptability and intent to maximize reach.
FlexibleFerret also exhibits behaviors consistent with earlier DPRK-linked malware families, such as using Dropbox for data exfiltration and the api.ipify.org service to capture public IP addresses.
These overlaps reinforce the attribution to North Korean threat actors and their continued focus on macOS systems.
The discovery of FlexibleFerret underscores the need for enhanced macOS security measures beyond reliance on XProtect.
While Apple has been proactive in updating its malware signatures, its defense mechanisms often lag behind the evolving tactics of advanced persistent threats (APTs).
Organizations and individual users are advised to apply robust endpoint protection solutions, monitor potential indicators of compromise, and remain vigilant against social engineering attempts.
As threat actors continue to exploit gaps in macOS protections, the cybersecurity community must remain proactive in unearthing and mitigating such vulnerabilities to safeguard users against these sophisticated attacks.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
