The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process.
“Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or CameraAccess for virtual meetings,” SentinelOne researchers Phil Stokes and Tom Hegel said in a new report.
Contagious Interview, first uncovered in late 2023, is a persistent effort undertaken by the hacking crew to deliver malware to prospective targets through bogus npm packages and native apps masquerading as videoconferencing software. It’s also tracked as DeceptiveDevelopment and DEV#POPPER.
These attack chains are designed to drop a JavaScript-based malware known as BeaverTail, which, besides harvesting sensitive data from web browsers and crypto wallets, is capable of delivering a Python backdoor named InvisibleFerret.
In December 2024, Japanese cybersecurity company NTT Security Holdings revealed that JavaScript malware is also configured to fetch and execute another malware known as OtterCookie.
The discovery of the FERRET family of malware, first uncovered towards the end of 2024, suggests that the threat actors are actively honing their tactics to evade detection.
This includes the adoption of a ClickFix-style approach to trick users into copying and executing a malicious command on their Apple macOS systems via the Terminal app in order to address a problem with accessing the camera and microphone through the web browser.
According to security researcher Taylor Monahan, who goes by the username @tayvano_, the attacks originate with the attackers approaching the targets on LinkedIn by posing as recruiters and urging them to complete a video assessment. The end goal is to drop a Golang-based backdoor and stealer that’s designed to drain the victim’s MetaMask Wallet and run commands on the host.
Some of the components associated with the malware have been referred to as FRIENDLYFERRET and FROSTYFERRET_UI. SentinelOne said it identified another set of artifacts named FlexibleFerret that takes care of establishing persistence on the infected macOS system by means of a LaunchAgent.
It’s also engineered to download an unspecified payload from a command-and-control (C2) server, which is no longer responsive.
Furthermore, the FERRET malware has been observed being propagated by opening fake issues on legitimate GitHub repositories, once again pointing to a diversification of their attack methods.
“This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally,” the researchers said.
The disclosure comes days after supply chain security firm Socket detailed a malicious npm package named postcss-optimizer containing the BeaverTail malware. The library remains available for download from the npm registry as of writing.
“By impersonating the legitimate postcss library, which has over 16 billion downloads, the threat actor aims to infect developers’ systems with credential-stealing and data-exfiltration capabilities across Windows, macOS, and Linux systems,” security researchers Kirill Boychenko and Peter van der Zee said.
The development also follows the discovery of a new campaign mounted by the North Korea-aligned APT37 (aka ScarCruft) threat actor that involved distributing booby-trapped documents via spear-phishing campaigns to deploy the RokRAT malware, as well as propagate them to other targets over group chats through the K Messenger platform from the compromised user’s computer.
