macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
Contents
Last week Apple pushed a signature update to its on-device malware tool XProtect to block several variants of what it called the macOS Ferret family: FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. This DPRK-attributed malware family was first described by researchers in December and further in early January and identified as part of the North Korean Contagious Interview campaign, in which threat actors lure targets to install malware through the job interview process.
In this post, we briefly recap previous research for context, including Apple’s contribution through its malware signatures, before describing newly discovered samples that we have labelled ‘FlexibleFerret’ and which remain undetected by XProtect at the time of writing.
We provide a high level overview of the malware along with a list of indicators for threat hunters and defenders. SentinelOne customers are protected from all known variants of the Ferret family.
A FERRET Family Background
As noted above, previous researchers have described several malware components …
In this post, we briefly recap previous research for context, including Apple’s contribution through its malware signatures, before describing newly discovered samples that we have labelled ‘FlexibleFerret’ and which remain undetected by XProtect at the time of writing.
We provide a high level overview of the malware along with a list of indicators for threat hunters and defenders. SentinelOne customers are protected from all known variants of the Ferret family.
A FERRET Family Background
As noted above, previous researchers have described several malware components …
IoC
http://zoom.callservice.us
76e3cb7be778f22d207623ce1907c1659f2c8215
17e3906f6c4c97b6f5d10e0e0e7f2a2e2c97ca54
de3f83af6897a124d1e85a65818a80570b33c47c
7da429f6d2cdd8a63b3930074797b990c02dc108
b071fbd9c42ff660e3f240e1921533e40f0067eb
7e07765bf8ee2d0b2233039623016d6dfb610a6d
831cdcde47b4edbe27524085a6706fbfb9526cef
b0caf49884d68f72d2a62aa32d5edf0e79fd9de1
203f7cfbf22b30408591e6148f5978350676268b
3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5
2e51218985afcaa18eadc5775e6b374c78e2d85f
a25dff88aeeaaf9f956446151a9d786495e2c546
ee7a557347a10f74696dc19512ccc5fcfca77bc5
d8245cdf6f51216f29a71f25e70de827186bdf71
1a28013e4343fddf13e5c721f91970e942073b88
e876ba6e23e09206f358dbd3a3642a7fd311bb22
828a323b92b24caa5f5e3eff438db4556d15f215
dba1454fbea1dd917712fbece9d6725244119f83
bd73a1c03c24a8cdd744d8a513ae8d2ddfa2de5f
8667078a88dae5471f50473a332f6c80b583d3de
aa172bdccb8c14f53c059c8433c539049b6c2cdd
388ac48764927fa353328104d5a32ad825af51ce
76e3cb7be778f22d207623ce1907c1659f2c8215
17e3906f6c4c97b6f5d10e0e0e7f2a2e2c97ca54
de3f83af6897a124d1e85a65818a80570b33c47c
7da429f6d2cdd8a63b3930074797b990c02dc108
b071fbd9c42ff660e3f240e1921533e40f0067eb
7e07765bf8ee2d0b2233039623016d6dfb610a6d
831cdcde47b4edbe27524085a6706fbfb9526cef
b0caf49884d68f72d2a62aa32d5edf0e79fd9de1
203f7cfbf22b30408591e6148f5978350676268b
3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5
2e51218985afcaa18eadc5775e6b374c78e2d85f
a25dff88aeeaaf9f956446151a9d786495e2c546
ee7a557347a10f74696dc19512ccc5fcfca77bc5
d8245cdf6f51216f29a71f25e70de827186bdf71
1a28013e4343fddf13e5c721f91970e942073b88
e876ba6e23e09206f358dbd3a3642a7fd311bb22
828a323b92b24caa5f5e3eff438db4556d15f215
dba1454fbea1dd917712fbece9d6725244119f83
bd73a1c03c24a8cdd744d8a513ae8d2ddfa2de5f
8667078a88dae5471f50473a332f6c80b583d3de
aa172bdccb8c14f53c059c8433c539049b6c2cdd
388ac48764927fa353328104d5a32ad825af51ce