FlexibleFerret Malware Attacking macOS Users, Evading XProtect Detections

A new macOS malware variant, dubbed “FlexibleFerret,” has been identified targeting developers and job seekers as part of an ongoing North Korean phishing campaign.

Despite Apple’s recent signature updates to its XProtect malware detection tool, this latest variant demonstrates the ability to bypass protections, raising new concerns about macOS cybersecurity.

FlexibleFerret belongs to a broader family of malware known as “FERRET,” initially uncovered in December 2024.

- Advertisement -

This malware family was attributed to the “Contagious Interview” campaign, where victims were lured through fake job interviews to install malicious software disguised as legitimate applications like virtual meeting tools or browser updates.

Technical Breakdown of FlexibleFerret

Recent investigations by SentinelLabs revealed that the FlexibleFerret variant leverages sophisticated techniques to evade detection.

Delivered via a malicious installer package, titled “versus.pkg,” the dropper includes deceptive components such as InstallerAlert.app and a fake Zoom binary.

The package installs additional scripts and binaries in concealed locations on infected devices, including /var/tmp/ and /private/tmp/, where it achieves persistence and executes its payload.

One of the standout features of the malware is its use of legitimate-looking Apple Developer signatures for credibility.

Although the developer signature linked to FlexibleFerret has since been revoked, threat actors exploited it to bypass macOS Gatekeeper protections during distribution.

The malware mimics system behaviors to avoid arousing suspicion. For instance, one of its executables, InstallerAlert, throws a fake macOS error message, “This file is damaged and cannot be opened,” giving users the impression that the application failed to execute.

In the background, however, the malware establishes persistence mechanisms, such as planting a malicious LaunchAgent file disguised as a legitimate Zoom service, targeting /private/var/tmp/logd for its payload operations.

A Broader Threat Spectrum

The “Contagious Interview” campaign and the FERRET malware family, including FlexibleFerret, reflect a well-coordinated effort by North Korean advanced persistent threat (APT) groups.

These groups target not only job seekers but also developers using repositories like GitHub.

SentinelLabs observed attackers posting fake issues and comments to lure developers into downloading infected files, including components of the FERRET malware.

FlexibleFerret also employs common tactics seen in other North Korea-linked campaigns, such as the use of Dropbox APIs for exfiltration and IP resolution services like api.ipify.org to monitor infected devices.

While Apple has added some FERRET components to XProtect’s blocklist, the FlexibleFerret variant remains undetected by the latest version of the tool.

The emergence of FlexibleFerret underscores the need for heightened vigilance among macOS users, particularly developers.

As attackers expand their malware delivery methods and develop variants capable of evading traditional protections, security best practices including using endpoint protection, avoiding untrusted downloads, and monitoring for indicators of compromise are critical.

Organizations and individuals are encouraged to stay updated with the latest threat intelligence and to employ robust security solutions capable of detecting advanced malware families like FERRET.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free