macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
Essential information
- Published
- 04/02/2025 08:35
- Modified
- 04/02/2025 09:44
- Tags
- 2025-02-04 chromeupdate contagious interview developers dprk dropper flexibleferret friendlyferret_secd frostyferret_ui github macos multi_frostyferret_cmdcodes persistence
- Related entities
- 2 observables, 1 intrusion sets (apt), 11 techniques (mitre), 5 malware, 1 others
Description
This intelligence analysis describes newly discovered variants of the DPRK-attributed macOS Ferret malware family, labeled as 'FlexibleFerret'. The malware is part of the ongoing 'Contagious Interview' campaign targeting developers and job seekers. The new variants include a dropper package containing multiple components, including a fake Zoom binary and an InstallerAlert application. These components establish persistence and communicate with a command and control server. The campaign has expanded its tactics, now targeting GitHub users by creating fake issues on legitimate repositories. The malware remains undetected by Apple's XProtect tool, highlighting the evolving nature of the threat.