FlexibleFerret Malware Attacking macOS Users, Evading XProtect Detections

   February 4, 2025  Posted in CyberSecurityNews


A new variant of malware, known as FlexibleFerret, has been identified targeting macOS users while evading detection by Apple’s XProtect tool.

This malware is part of a broader campaign attributed to North Korean threat actors, who have been using sophisticated tactics to lure victims into installing malicious software.

The Ferret family of malware, including variants like FROSTYFERRET_UI and FRIENDLYFERRET_SECD, was first reported in December 2023.

SIEM as a Service

These malware components are associated with the “Contagious Interview” campaign, where threat actors trick job seekers into installing malware by masquerading it as necessary software for virtual interviews.

FlexibleFerret Malware Components (Source – SentinelOne)

Besides this, cybersecurity experts at SentinelOne discovered that Apple recently updated XProtect to block some of these variants, but FlexibleFerret remains undetected.

FlexibleFerret Analysis

FlexibleFerret is distributed through an Apple Installer package named versus.pkg, which contains several malicious components, including InstallerAlert.app, versus.app, and a standalone binary called zoom.

Postinstall Script Execution (Source – SentinelOne)

The postinstall.sh script is used to execute these components after installation, logging its progress to /tmp/postinstall.log.

# Log the start of the script
echo "$(date): Running post-installation script..." >> /tmp/postinstall.log
# Check if the zoom file exists and execute it
if [ -f /var/tmp/zoom ]; then
    echo "$(date): Zoom file exists, executing..." >>/tmp/postinstall.log
    /var/tmp/zoom >> /tmp/postinstall.log 2>&1 &
else
    echo "$(date): Zoom file not found" >> /tmp/postinstall.log
fi

The fake zoom binary communicates with the domain zoom.callservice[.]us, which is not a legitimate Zoom domain.

Meanwhile, InstallerAlert.app tricks users into thinking it’s a legitimate application by displaying an error message, while secretly installing a persistence item in the User’s Library LaunchAgents folder with the label com.zoom.plist.

InstallerAlert Error Message (Source – SentinelOne)

The Contagious Interview campaign has expanded beyond targeting job seekers to include developers on platforms like GitHub. Threat actors are using fake issues on legitimate repositories to distribute malware droppers.

Users are advised to be cautious when installing software from untrusted sources and to keep their security software updated.

Indicators of Compromise (IoCs)

  • versus.pkg: 388ac48764927fa353328104d5a32ad825af51ce
  • InstallerAlert Mach-Os: 1a28013e4343fddf13e5c721f91970e942073b88, 3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5, 76e3cb7be778f22d207623ce1907c1659f2c8215

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free



Source link