The Contagious Interview campaign, orchestrated by North Korean threat actors, has recently been discovered distributing a series of Apple macOS malware strains known as FERRET under the guise of job interviews. SentinelOne researchers Phil Stokes and Tom Hegel detailed that targets are prompted to interact with an interviewer through a link that prompts the installation or update of software like VCam or CameraAccess for virtual meetings.
Initially unearthed in late 2023, Contagious Interview is an ongoing effort by the hacking group to disseminate malware to potential victims through fake npm packages and native applications posing as videoconferencing software. The campaign is also identified as DeceptiveDevelopment and DEV#POPPER, with the attack chains deploying BeaverTail JavaScript malware to extract sensitive information from web browsers and cryptocurrency wallets, along with delivering a Python backdoor named InvisibleFerret.
In a more recent development, Japanese cybersecurity company NTT Security Holdings disclosed that the JavaScript malware associated with the FERRET family is programmed to fetch and run another malware strain named OtterCookie. This discovery signals that the threat actors are continually refining their strategies to avoid detection, including employing a ClickFix-style approach to dupe users into executing malicious commands on their macOS systems via the Terminal app.
Security researcher Taylor Monahan highlighted that the attacks originate from the hackers posing as recruiters on LinkedIn, persuading targets to complete a video assessment. The end goal is to deploy a Golang-based backdoor and stealer to drain the victim’s MetaMask Wallet and execute commands on the compromised host. The malware components are referred to as FRIENDLYFERRET and FROSTYFERRET_UI, with SentinelOne identifying another set of artifacts called FlexibleFerret responsible for establishing persistence on infected systems via a LaunchAgent.
The evolving tactics of the threat actors have extended to planting fake issues on legitimate GitHub repositories to propagate the FERRET malware, expanding their attack vectors beyond job seekers to the broader developer community. These developments coincide with the discovery of a malicious npm package named postcss-optimizer containing BeaverTail malware, underscoring the persistent efforts of North Korean threat actors to target developers across various platforms and systems for data exfiltration and credential theft.
Source link