Apple has stepped up its cybersecurity defenses with a fresh update to its on-device malware detection tool, XProtect, aimed at blocking multiple variants of macOS-targeting malware linked to North Korea’s state-sponsored hacking campaigns. The malware family, identified as Ferret, includes FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. Security researchers first documented the campaign in December, detailing how threat actors exploited job interview lures to infect victims with sophisticated malware.
The Ferret Malware Campaign: A Brief Overview
Dubbed the ‘Contagious Interview’ campaign, the attack vector involves tricking targets into installing malicious software under the guise of virtual meeting tools like VCam or CameraAccess. Once executed, the malware implants a shell script that installs a persistence agent disguised as a Google Chrome update, effectively granting attackers sustained access to compromised macOS systems.
Apple’s latest XProtect update aims to neutralize these threats by identifying and blocking key malware components, including:
FRIENDLYFERRET, which masquerades as an OS system file.
FROSTYFERRET_UI, a persistence module hiding under the pretense of CameraAccess.
MULTI_FROSTYFERRET_CMDCODES, a stealthy command-and-control mechanism.
Security researchers at SentinelLABS note that elements of the Ferret family overlap with past North Korean cyber campaigns, such as Hidden Risk. Notably, both campaigns use Dropbox for data exfiltration and leverage the API service ipify.org to determine the victim’s public IP address.
Introducing ‘FlexibleFerret’ – The Undetected Variant
While Apple’s XProtect update fortifies macOS against known Ferret strains, researchers have identified a new, undetected strain labeled ‘FlexibleFerret.’ Unlike previous variants, FlexibleFerret has been observed utilizing signed Apple Developer credentials to gain initial execution privileges.
The malware is embedded in an Apple Installer package named versus.pkg, which contains multiple components, including:
InstallerAlert.app – A deceptive alert tool that misleads users into believing the malware has failed to install.
A malicious binary named ‘zoom’ – An impostor Zoom application reaching out to the domain zoom.callservice[.]us, a non-legitimate site.
A post-install script – Deploys malicious components and establishes persistence through the creation of a rogue LaunchAgent.
Security researchers found that FlexibleFerret shares an 86% similarity with ChromeUpdate malware, reinforcing its connection to the original Ferret campaign. Unlike ChromeUpdate, however, FlexibleFerret operates under a revoked Apple Developer Team ID (58CD8AD5Z4), exposing its attempt to evade detection.
North Korean Hackers Expand Attack Methods
The ‘Contagious Interview’ campaign continues to evolve, with attackers broadening their targeting scope beyond job seekers to include GitHub developers. Recent evidence suggests that cyber actors have been using fake GitHub issue comments to trick developers into downloading malware-laced files. In December, one such tactic involved posting misleading instructions leading to Ferret malware droppers.
This shift indicates that North Korean state-sponsored hackers are experimenting with new vectors to infect high-value targets, leveraging social engineering across multiple online platforms.
Apple’s Role in the Fight Against Mac Malware
Apple’s swift action to block known Ferret malware strains through XProtect highlights the increasing need for proactive macOS security measures. However, as SentinelLABS’ findings illustrate, attackers are adept at modifying their malware to bypass traditional signature-based detection methods.
A SentinelOne representative emphasized, “The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required.”
While Apple’s update strengthens macOS defenses, security experts recommend additional precautions:
Avoid downloading software from unverified sources.
Enable system-wide security features like Gatekeeper and Lockdown Mode.
Regularly update XProtect and macOS to stay ahead of emerging threats.
Use endpoint security solutions that detect behavioral anomalies beyond static signatures.
The Ongoing Battle Against Mac Malware
As North Korean cyber-espionage campaigns continue to evolve, the battle between threat actors and cybersecurity defenders remains ongoing. Apple’s latest XProtect update marks a crucial step in mitigating known Ferret variants, but the emergence of FlexibleFerret underscores the persistent and adaptive nature of cyber threats. Organizations and individual users must remain vigilant, leveraging multiple layers of security to safeguard against emerging macOS malware threats.
For users seeking advanced protection against Ferret-related attacks, SentinelOne’s Singularity platform provides comprehensive endpoint security solutions tailored to macOS environments. As always, staying informed and adopting best cybersecurity practices remain essential in the fight against state-sponsored cyber threats.