macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed

Feb. 4, 2025, 9:44 a.m.

Description

This intelligence analysis describes newly discovered variants of the DPRK-attributed macOS Ferret malware family, labeled as 'FlexibleFerret'. The malware is part of the ongoing 'Contagious Interview' campaign targeting developers and job seekers. The new variants include a dropper package containing multiple components, including a fake Zoom binary and an InstallerAlert application. These components establish persistence and communicate with a command and control server. The campaign has expanded its tactics, now targeting GitHub users by creating fake issues on legitimate repositories. The malware remains undetected by Apple's XProtect tool, highlighting the evolving nature of the threat.

External References

https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/
https://otx.alienvault.com/pulse/67a1d168e53cdff39c25455f
Tags
persistence
developers
macos
dropper
github
dprk
contagious interview
2025-02-04
friendlyferret_secd
flexibleferret
frostyferret_ui
chromeupdate
multi_frostyferret_cmdcodes

Date

  • Created: Feb. 4, 2025, 8:35 a.m.
  • Published: Feb. 4, 2025, 8:35 a.m.
  • Modified: Feb. 4, 2025, 9:44 a.m.

Indicators

  • 3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a
  • zoom.callservice.us
Download all indicators here!

Attack Patterns

  • ChromeUpdate
  • MULTI_FROSTYFERRET_CMDCODES
  • FRIENDLYFERRET_SECD
  • FlexibleFerret
  • FROSTYFERRET_UI
  • DPRK

Additional Informations

  • Technology