Full Report
DPRK 'Contagious Interview' campaign continues to target Mac users with new variants of FERRET malware and GitHub devs with repo spam.
Analysis Summary
# Threat Actor: Ferret Family (DPRK-attributed)
## Attribution & Identity
The threat actor is attributed to the **Democratic People's Republic of Korea (DPRK)**.
Known aliases/names include **Contagious Interview**. The malware family is referred to as the **macOS Ferret family**.
## Activity Summary
The actor has been deploying malware targeting macOS systems, utilizing deceptive installers. Recent activity includes the deployment of variants blocked by Apple's XProtect signature update: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES. Previous research identified this activity in December and January.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Distribution via malicious packages (`versus.pkg`).
- **Dropper Components:** The package includes components like `InstallerAlert.app`, `versus.app`, and potentially a false flag component named `zoom`.
- **Persistence/Execution:** Establishes persistence via a LaunchAgent (`com.zoom.plist` located in `/var/tmp/`).
- **Installer Deception:** Utilizes an installer alert binary (`Mac-Installer.InstallerAlert`) which shares functional similarity with legitimate binaries like the Chrome update binary, likely for social engineering.
- **Code Signing:** The installer binary (`com.zoom.plist`) appears to use a developer signature (`Team ID: 58CD8AD5Z4`), though the overall signature status for the binary is flagged as not being a proper developer signature during analysis.
## Targeting
- **Sectors:** Not explicitly stated, but targeting of macOS infrastructure suggests potential espionage or intellectual property theft targeting organizations utilizing Apple hardware.
- **Geography:** Not explicitly mentioned in the provided text.
- **Victims:** No specific victim organizations are named.
## Tools & Infrastructure
- **Malware Families:** macOS Ferret family variants (FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, MULTI\_FROSTYFERRET\_CMDCODES).
- **Dropper Package:** `versus.pkg`
- **Dropper Components:** `InstallerAlert.app`, `versus.app`, `zoom`
- **Persistence Item:** `com.zoom.plist` (LaunchAgent)
- **Infrastructure (C2, domains, IPs):** None explicitly detailed in the provided text snippets.
## Implications
This threat demonstrates a sustained, focused effort by a DPRK-aligned group to compromise macOS environments using sophisticated delivery methods involving decoy installers, potentially bypassing initial security checks through familiar-looking installation processes. The use of LaunchAgents indicates an intent for long-term persistence.
## Mitigations
- Keep macOS security features, particularly on-device malware detection tools like XProtect, fully updated via signature updates.
- Scrutinize macOS packages for unusual structure or execution paths (e.g., scripts running from `/var/tmp/` or suspicious persistent configuration files).
- Implement strict controls over software installation sources, as the distribution method relies on users installing malicious packages.