Sunday, February 9, 2025
HomeBrowserFlexibleFerret Malware Attacking macOS Users, Evading XProtect Detections

FlexibleFerret Malware Attacking macOS Users, Evading XProtect Detections

Published on

SIEM as a Service

Follow Us on Google News

A new macOS malware variant, dubbed “FlexibleFerret,” has been identified targeting developers and job seekers as part of an ongoing North Korean phishing campaign.

Despite Apple’s recent signature updates to its XProtect malware detection tool, this latest variant demonstrates the ability to bypass protections, raising new concerns about macOS cybersecurity.

FlexibleFerret belongs to a broader family of malware known as “FERRET,” initially uncovered in December 2024.

This malware family was attributed to the “Contagious Interview” campaign, where victims were lured through fake job interviews to install malicious software disguised as legitimate applications like virtual meeting tools or browser updates.

Technical Breakdown of FlexibleFerret

Recent investigations by SentinelLabs revealed that the FlexibleFerret variant leverages sophisticated techniques to evade detection.

Delivered via a malicious installer package, titled “versus.pkg,” the dropper includes deceptive components such as InstallerAlert.app and a fake Zoom binary.

FlexibleFerret Malware
File contents of the FlexibleFerret dropper, versus.pkg

The package installs additional scripts and binaries in concealed locations on infected devices, including /var/tmp/ and /private/tmp/, where it achieves persistence and executes its payload.

One of the standout features of the malware is its use of legitimate-looking Apple Developer signatures for credibility.

Although the developer signature linked to FlexibleFerret has since been revoked, threat actors exploited it to bypass macOS Gatekeeper protections during distribution.

The malware mimics system behaviors to avoid arousing suspicion. For instance, one of its executables, InstallerAlert, throws a fake macOS error message, “This file is damaged and cannot be opened,” giving users the impression that the application failed to execute.

In the background, however, the malware establishes persistence mechanisms, such as planting a malicious LaunchAgent file disguised as a legitimate Zoom service, targeting /private/var/tmp/logd for its payload operations.

A Broader Threat Spectrum

The “Contagious Interview” campaign and the FERRET malware family, including FlexibleFerret, reflect a well-coordinated effort by North Korean advanced persistent threat (APT) groups.

These groups target not only job seekers but also developers using repositories like GitHub.

FlexibleFerret Malware
A threat actor tries to trick Github users into downloading FERRET malware

SentinelLabs observed attackers posting fake issues and comments to lure developers into downloading infected files, including components of the FERRET malware.

FlexibleFerret also employs common tactics seen in other North Korea-linked campaigns, such as the use of Dropbox APIs for exfiltration and IP resolution services like api.ipify.org to monitor infected devices.

While Apple has added some FERRET components to XProtect’s blocklist, the FlexibleFerret variant remains undetected by the latest version of the tool.

The emergence of FlexibleFerret underscores the need for heightened vigilance among macOS users, particularly developers.

As attackers expand their malware delivery methods and develop variants capable of evading traditional protections, security best practices including using endpoint protection, avoiding untrusted downloads, and monitoring for indicators of compromise are critical.

Organizations and individuals are encouraged to stay updated with the latest threat intelligence and to employ robust security solutions capable of detecting advanced malware families like FERRET.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...