CyberWire Daily - Caught in the contagious interview. [Research Saturday]
Episode Date: March 1, 2025This week we are joined by Phil Stokes, threat researcher at SentinelOne's SentinelLabs, discussing their work on "macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed." Apple rece...ntly pushed an update to its XProtect tool, blocking several variants of the DPRK-linked Ferret malware family, which targets victims through the "Contagious Interview" campaign. The malware uses fake job interview processes to trick users into installing malicious software, and new variants, including FlexibleFerret, remain undetected by XProtect. SentinelOne's research reveals a deeper investigation into this malware, which uses social engineering to expand its attack vectors, including targeting developers through platforms like GitHub. The research can be found here: macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24 7 365 with Black
Cloak. Learn more at black cloak.io
Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave
Bittner and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We were actually pivoting off some research
We were actually pivoting off some research that was published in early January on a website called DMP Dump.
And they described a cross-platform attack chain which had some macOS components, but
they didn't fully analyze all of it.
So we wanted to jump in there and see what else we could unearth.
That's Phil Stokes, threat researcher at Sentinel One's Sentinel Labs.
The research we're discussing today is titled Mac OS Flexible Ferret,
further variants of DPRK malware family unearthed.
Well, describe to us what exactly is Flexible Ferret. So, yeah, there's a bit of context there.
It's a little bit of a rabbit hole just to mix metaphors, but it starts with this campaign called Contagious Interview, which is a wider tactic of North
Korean threat actors.
They've been using the same tactic for a few years, but basically what they're doing is
targeting employees or potential employees of businesses, and in particular software
developers, through the job interview process. So basically what they're doing is engaging people across social media to take a job interview.
And then as part of that interview, they kind of throw the whammy, oh look, you need to
install this software.
Or another little might be, they might say,
hey, we're interviewing you for a software developer's job.
Run this software and tell us what you think,
or give us an analysis, or some variation of this.
Basically, what's going on behind the scenes
is they're running a first stage component to find out what OS the
target is running. If it's a Mac, then they will deliver Mac specific components, which is what
we call the ferret malware. So the ferret malware is basically a first stage Mac binary, usually a Mac app
in fact, then we'll do something like install a Mac specific persistence agent and a Mac
specific second stage, which is normally a backdoor. So that's the overall background
of the ferret family.
Are there any particular key like technical characteristics of flexible ferret family. Are there any particular key, like, technical characteristics of flexible ferret that, does
it build upon previous DPRK-linked malware?
Yeah, as I said, it's a bit of a rabbit hole because we actually see quite a few of the same artifacts used in different
campaigns. So in flexible ferret, in fact, the second stage backdoor malware that Apple had written
signatures for on the back of the research that came out in early January, there was a second stage back door and that was actually turned out to be the same back door that we had seen
in a previous campaign we'd written about near the end of last year called Hidden Risk,
which is a campaign which doesn't target people through the job interview process, but is
actually sending out phishing links to people interested in crypto or decentralized
finance.
In that campaign, they were getting people to click on a link to open a PDF, and that
was installing the same second stage malware that Ferret malware is also using.
So, yeah, there's a lot of connections across the artifacts,
some of the code artifacts in different parts of these,
malware components, we see them reused across campaigns.
Well, how does Flexible Ferret operate
once it infects a Mac system?
Right, so in the case of Flexible case of flexible ferret, what you have
is an installer package, which is slightly different from the previous ferret versions,
which were getting users to run a shell script, which would then download some particular malicious
components. In flexible ferret, what we see is an installer package so
the delivery mechanism was different suggesting maybe alternative
channels where attackers are finding victims that maybe are shy to running
terminal commands which you wouldn't think was developers normally they're
normally quite terminal savvy. So in this case, the flexible ferret was coming in a prepackaged installer, and it would present
a user interface to the victim, basically mimicking what Gatekeeper does when you try to run some
application that is not properly code signed.
So we just throw up this warning saying,
this program is damaged and can't be run.
That's just a decoy.
In fact, it is running behind the scenes.
So that idea of that is to make the user just go,
oh, okay, this is no good.
You have to move on, forget about it.
But what's really going on is the persistence agent
is being installed as a launch agent.
And the second stage, GoBinary, is then being downloaded
from a remote C2.
They're also grabbing the user's password,
because the first stage will ask for elevated privileges, which
is quite a common thing for installers to do and
What they do is they grab that password and they exfil it to a dropbox URL. So
Yeah, it's very sneaky very sneaky
Well, how do they bypass the built-in security tools that are in Mac OS?
right, so built-in security tools that are in macOS. Right. So, this is also interesting.
One of the reasons we were kind of quick to push out the flexible ferret post is because
the sample that we found was actually signed with a valid developer ID and had been notarized
by Apple.
So, that would get them straight through gatekeeper.
You would normally, if Apple were aware of this malware and had written a
ERA rule for it, you might get a detection in Xprotect, which is their
tool for blocking malware before it executes. But Xprotect hasn't got a rule
for this particular version.
So flexible ferret is the version that doesn't have
a rule in X Protect for it.
Apple have to their credit already revoked that developer
signature and that notarization ticket.
In fact, that happened before we ran our investigation. So we kind of assumed Apple would know about this because they obviously know the developer
Because they've revoked a certificate
But they didn't actually add a signature in a expert tech for it. So
That was a concern let's let's put it that way that's interesting
I mean help me understand how does a group like this go about getting an authorized signature
from Apple?
Yeah, that's a good question.
So this isn't something that we've researched specifically.
Other research into that has suggested a couple of ways.
One is, look, you can just buy a signature for $99, right?
So if you've stolen some credit card credentials or have some other way to,
I mean, they do some basic payment checks,
but if you have some way to pay for it,
then you can do that way.
Another way is, of course,
through previous compromises of developers, where
they might just be stealing a developer's signature of a legit developer. So those are
at least two of the ways. Some years ago, I had seen websites are actually trading stolen
or compromised developer signatures. So yeah, there's a few different ways that they go about it.
But in this particular case, I don't have insight
into exactly who the developer signature was.
Is it fair to say that that's not a terribly difficult
hurdle to get over?
Absolutely.
I mean, a lot of malware families,
a lot of malware families are using developer signatures.
What should be a bigger hurdle is notarization.
This is where Apple are actually checking.
Even if you've got an Apple developer ID,
they will still check your code to see if it's known malware.
But this is what's called notarization.
So it's an extra check.
But we've seen quite a lot of malware that's
getting past notarization checks now.
So this doesn't seem to be a particularly robust mechanism. We'll be right back.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million
record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Cyber threats are evolving every second and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a
full suite of solutions designed to give
you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and compliant.
Well switching to attribution here, what led you all to attribute flexible ferret to North
Korea?
Right. Right, so part of that is because of the overlaps, as I spoke about earlier, with known North
Korean actors, we actually found flexible ferret based off previously DPRK attributed
malware.
And part of it is my colleague who helped co-author the post, Tom Hegel. He did all the kind of infrastructure
side, so I don't really get involved in the networking side, but Tom examined the infrastructure
side and was able to link that to previously known DPR case infrastructure. So we were
strong confidence that this is definitely the same threat actors.
I see.
Well, and of course, North Korea is generally known for either financially motivated attacks
or espionage focused campaigns.
Does this fit into one of their typical categories?
It does.
And what's interesting actually is many of their campaigns are not one or the other.
They're kind of both at the same time, right?
So they're often looking to backdoor people who are either already employees or are potential
employees of organizations.
And they might do some financial theft on the side, maybe steal some crypto wallets, like a lot of their other malware, as usually we see some kind of wallet stealing components,
as well as a backdoor. Now, in this case, we think that the second stage backdoor was
the same go binary that we had seen in the hidden risk campaign based on various artifacts, but we
didn't actually, we weren't actually able to source it from the C2.
It was already shut down.
So whether there was further sort of variation there or not sort of remains to be seen.
How would you rate the sophistication of this group?
I mean, is this something that everyday users should worry about, or does it seem like they're
targeting high-value people?
So in terms of targeting, it's very specific to this particular campaign.
It's very specific.
They're going after software developers, but that's a pretty wide
group of people.
In terms of sophistication, the malware isn't that sophisticated.
The thing is it doesn't need to be that sophisticated to work.
This is maybe one of the things that might surprise some people.
But in this particular group, aren't really concerned with stealth. So there's
no obfuscation in any of this malware. It's very easy to analyze. They're not bothered
about burning the particular malware that they use on any given compromise. And I think
this is also why we found this variant on the back of previous research with the study three,
four weeks ago, and I would not be surprised if we or other researchers find another variant
in a couple of weeks or sooner because they're rapidly iterating.
You know, they're quite happy just to burn these mal malwares and and write new ones.
Yeah that's interesting. You know I think there's still that perception that Mac OS
is safer than Windows when it comes to these sorts of things. Do you think that's
still true or are we seeing more and more of these kind of targeted threats?
I'm not sure that it's ever been true. I think it... I mean I've been a Mac user for all of my computing life, right?
So in one way, I don't know much about Windows personally because I don't use it.
But of course I'm in the security industry and I know that Windows has vastly more, numerically more threats.
It has different kind of threats. So you worry a lot more about remote code
execution with various Windows components. If they're exposed to the Internet, it's
easy to get in. You don't have that kind of issue with Macs. But with all computer systems,
it's an old adage. The weakest is is the person on the keyboard, right?
What you have with max I think is a
History a legacy of not worrying so much about security because everybody was attacking windows because it was easy because
max weren't
Traditionally big in the enterprise so so they weren't high value targets.
So that's completely different now, right?
So almost every organization is using Macs now.
They're also used by high value targets like developers, like C-suite folks.
And I think there's this sort of hangover from the fact that Macs
haven't suffered traditionally as much targeting as Windows machines. That
people are going, okay I want a Mac, I must be good, Apple will take care of it.
But look, Macs, it doesn't really matter what OS you're on, whether it's Mac,
Windows, Linux, whether you're running code in containers or storing data
there.
As an organization, you need to have protection
for wherever you are running your code or storing your data.
Because one of the trends that we see increasingly
over the last two years is
That campaigns are cross-platform from the off, right? It's not like the Mac thing is an afterthought or it's a separate thing and it's the same with the ferret malware
The campaign starts off with some kind of stage one that says okay
What kind of an OS am I running on and once it's's figured that out, it'll deliver the appropriate second stage.
The key to all of it is getting that user
to execute the first stage.
And that's a social engineering obstacle.
It's not an OS obstacle.
It doesn't matter whether you're Windows or Mac, right?
Yeah, that's, I mean, it's fair to say
that if I can convince you to download and install something,
that's kind of the ball game.
Absolutely.
This is true.
Yeah.
Well, what do you hope that people get out of the research here?
Are there any particular lessons learned or tips and tricks that you want people to take
away from it?
Sure.
Look, you know, there's a there's a few things
I think for for organizations and for users to to think about
not just with this research, but also I think one of the
one of the things that if any for anybody following security issues one of the things you'll notice is that
macOS
compromised research about macOS malware is becoming more frequent. You're
seeing more of it, right? And this kind of goes back to partly what I said
earlier about, you know, make sure you're covering all your OS's, that there's no
first or second class citizens in security.
The second thing is don't rely on the OS vendors.
And I'm not just talking about Apple,
it doesn't matter whether it's Red Hat or Windows,
Microsoft, sorry, don't rely on the OS vendors for security.
And I'm not trying to show for my company in particular,
use whatever makes sense in your organization.
But OS vendors, their primary business
isn't security, it's stability, right?
So they have this massive burden to avoid false positives
in whatever kind of security mechanisms they deploy.
So of course, that's also true of dedicated security vendors.
But for OS vendors, because they're
shipping to exponentially larger number of devices,
and they have little to zero visibility
into how those devices are being used in an org,
what environment they're in, it just
makes it magnitudes harder for them to reliably flag up emerging threats.
You should think of whatever OS security mechanisms come in as kind of like, that's your base
level. That's where you start. But if you're an organization, absolutely that is not where
you need to end. So that's one message. Another one is protect your developers, you know, about
this research in particular. You know, it's very, it's focused on trying to, the
campaign is focused on trying to compromise developers and, you know,
they're the gateway into not just the organization they work for but any
organization that uses software they're developing,
right?
So they're high-value targets.
They are sometimes harder to protect, can I say that way?
Because they have complex needs, they're in complex environments.
Security software sometimes is a pain for them.
They do think highly of themselves.
Well, I've got a lot of friends who are developers,
so I'm not going down that road.
I'll take that bullet for you, my friend.
But yeah, you know, it's a conversation
orgs need to have with their devs to make sure,
like, you know, you're a target, right?
You're as big a target as probably anyone
in the organization.
So, yeah, and on top of that,
I think that just going back to where we were talking about it,
it's a social engineering challenge, right?
Rather than an OS challenge in terms of stopping those first stages.
Now, the best advice you'll hear on security,
you can hear it from Apple all the way back in 2007,
when they released OS 10.5 Leopard,
and that was when they introduced their first major security technology.
It was file quarantine, which later became known as Gatekeeper.
They said in their docs all the way back then that where you
get a file from is
the most important indicate of whether something is malicious or legit.
I think whether you're an org or you're just a user at home,
that's the key takeaway. It remains true today. The origin or provenance of anything
a user is going to execute on their machine, it needs to be established that it's safe before
you do it. And it's not easy. It's sometimes very difficult. But basically, you know, if someone from outside your org is asking you to execute some software inside
your org, then that's a security issue right away. Yeah. So, you
know, it's running in a VM, pass it on to your IT team. If you
don't have those resources, you know, just turn around to
whoever's asking this request and say, well, I need to do some
security check first and see how they react because, you know,
they will get itchy and touchy about, you know,
that kind of pushback and that's a red flag sprayed away,
right, so yeah, executing code from unknown origin
is how infections happen. Our thanks to Phil Stokes from Sentinel One's Sentinel Labs for joining us.
The research is titled Mac OS Flexible Ferret, further variants of DPRK malware family unearthed.
We'll have a link in the show notes.
That's Research Saturday brought to you by N2K CyberWire. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step
ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating
and review in your favorite podcast app. Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester, our executive producers Jennifer Iben, Peter
Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.