Apple Updates XProtect to Combat Evolving macOS Ferret Malware Threats

Apple has released new signature updates for its on-device malware protection tool, XProtect, to block variants of malware linked to the macOS Ferret family.

This malware has been associated with Contagious Interview, a North Korean cyber campaign where threat actors deceive targets into installing malware under the guise of a fake job interview. Other variants involved in this operation include FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.

Initially detailed by researchers in December 2024 and further analyzed in January, the campaign operates by directing targets to communicate with an "interviewee" via a link that prompts the installation of software supposedly needed for virtual meetings. Once installed, the malware executes a malicious shell script, establishes persistence, and deploys an executable disguised as a Google Chrome update.

The Contagious Interview attack chain is designed to drop BeaverTail, a JavaScript-based malware that delivers a Python backdoor called InvisibleFerret, which is capable of extracting sensitive information from web browsers and cryptocurrency wallets.

Researchers at SentinelOne have now identified a new variant, FlexibleFerret, which was undetected by XProtect as of February 3. This suggests that the attackers are refining their tactics to evade security measures. The FlexibleFerret component has been traced back to November 2023.

"In a case from late December, a 'commenter' left instructions leading to the download of Ferret family droppers," SentinelOne researchers reported. "This indicates that the attackers are expanding their delivery methods beyond job seekers, now targeting developers as well."