NEWS BRIEF

Apple has released a new patch for its on-device malware tool, XProtect, to block variants of malware belonging to the macOS Ferret family. This malware is part of a North Korean campaign that involves threat actors luring targets into installing malware through a fake job interview process.

The Contagious Interview Campaign

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors convincing targets to install malware onto their devices through a fake job interview process. Other variants in the campaign include FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.

The DPRK Malware Family

The DPRK malware family was first detailed by researchers in December 2024 and again in January. As part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

How the Malware Works

Once installed, the malware runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

New Variant: FlexibleFerret

Researchers at SentinelOne have highlighted samples they’re calling "FlexibleFerret" that went undetected by XProtect as of February 3. This component dates back to November 2023. The SentinelOne researchers stated that in an example in late December, one "commenter" left instructions leading to the download of Ferret family droppers, suggesting that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally.

Conclusion

The Contagious Interview campaign is a sophisticated example of North Korean threat actors using social engineering tactics to deliver malware. Apple’s new patch for XProtect is a welcome move to block these variants, but it highlights the ongoing need for vigilance and detection capabilities to stay ahead of evolving threats.