Full Report
2025-02-03 • SentinelOne • Phil Stokes, Tom Hegel • osx.friendlyferret, osx.frostyferret Open article on Malpedia
Analysis Summary
# Threat Actor: FlexibleFerret (DPRK Malware Family Variants)
## Attribution & Identity
* **Attribution:** Democratic People's Republic of Korea (DPRK) state-sponsored group.
* **Aliases/Associations:** Associated with the malware family variants **osx.friendlyferret** and **osx.frostyferret**.
## Activity Summary
The article details the discovery of new operational variants within the DPRK malware family, specifically focusing on macOS versions (FlexibleFerret).
## Tactics, Techniques & Procedures
* **TTPs:** Use of variants dubbed 'osx.friendlyferret' and 'osx.frostyferret'.
* **MITRE ATT&CK IDs:** Not explicitly provided in the context.
## Targeting
* **Sectors:** Not explicitly detailed in the provided context snippet, but contextually related to espionage activities common to DPRK actors.
* **Geography:** Not explicitly detailed in the provided context snippet.
* **Victims:** Not explicitly detailed in the provided context snippet.
## Tools & Infrastructure
* **Malware families used:** macOS variants of the DPRK FlexibleFerret malware family, specifically referencing **osx.friendlyferret** and **osx.frostyferret**.
* **Infrastructure:** Not explicitly detailed in the provided context snippet.
## Implications
The continuous development and deployment of specific malware variants targeting macOS indicate sustained offensive cyber operations by North Korea, potentially adapting to target Apple environments more effectively.
## Mitigations
* Focus on robust endpoint detection and response (EDR) capable of identifying novel macOS threats.
* Maintain up-to-date security definitions to recognize known malware signatures associated with DPRK threat groups.