New macOS malware disguises itself as Chrome & Zoom installers

Jump to First Reply
Posted:
in macOS

North Korean hackers are using fake job offers and disguised app updates to sneak malware onto Macs, and while Apple's latest XProtect update blocks some threats, others are still slipping through.

MacBook Pro with a vibrant gradient screen rests on a gray sofa, displaying app icons along the bottom.
MacBook Pro



Security researchers from SentinelLabs have identified fresh variants of a North Korean malware family, dubbed "FlexibleFerret," which is actively exploiting macOS users. The malware is part of a broader campaign known as "Contagious Interview," where attackers pose as recruiters to trick job seekers into installing malicious software.

Apple responded with an XProtect signature update to counter these threats, blocking several variants, including FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.

XProtect is Apple's built-in malware detection and removal tool for macOS, designed to identify and block known malicious software. It runs silently in the background, using regularly updated security signatures to detect threats when files are downloaded or executed.

Unlike traditional antivirus software, XProtect operates at the system level with minimal user interaction, automatically protecting Macs without requiring manual scans.

Code and metadata related to a computer virus, showing submission dates, threat categories, tags, and YARA rule identifiers, with details in a format resembling a terminal interface.
Some malware components found in FlexibleFerret share similarities with the Stage 2 payloads used in North Korea's Hidden Risk campaign. Image credit: SentinelOne



The malware campaign has evolved from earlier DPRK-attributed threats discovered in December and January. Attackers are using deceptive tactics such as fake Chrome updates and disguised Zoom installers to infect macOS systems.

The malware's persistence mechanisms and data exfiltration methods indicate a well-funded, state-backed operation.

How the malware spreads



The FlexibleFerret malware primarily spreads through social engineering. Victims are tricked into downloading a seemingly legitimate app, such as VCam or CameraAccess, after encountering an error message during a fake job interview.

In reality, these apps install a malicious persistence agent that runs in the background, stealing sensitive data. One identified package, versus.pkg, contains multiple malicious components, including InstallerAlert.app, versus.app, and a rogue binary named zoom.

Once executed, the malware installs a launch agent to maintain persistence and communicates with a command-and-control server via Dropbox.

A file directory listing with filenames, sizes, owners, groups, permissions, and modification dates, displayed in a tree structure.
File contents of the FlexibleFerret dropper, versus.pkg. Image credit: SentinelOne



Apple's latest XProtect update blocks key malware components disguised as macOS system files, including com.apple.secd. However, some FlexibleFerret variants remain undetected, highlighting the evolving nature of these threats.

Protecting your Mac



Mac users should be cautious when downloading software from untrusted sources and skeptical of unexpected software installation prompts. Apple's built-in security measures provide a first line of defense, but additional endpoint security solutions can help detect and block emerging threats.

Tools like Malwarebytes, Sophos Home, and CleanMyMac X offer extra layers of protection against cyber attacks.



Read on AppleInsider

Comments

  • Reply 1 of 8
    zeus423zeus423 Posts: 280member
    Some people say Chrome is malware
    chasmmattinozwatto_cobradanoxrob53
     5Likes 0Dislikes 0Informatives
  • Reply 2 of 8
    chasmchasm Posts: 3,684member
    This particular threat is easy to avoid.

    1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

    2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.
    watto_cobradewmedanoxrob53
     2Likes 1Dislike 1Informative
  • Reply 3 of 8
    Pemapema Posts: 210member
    chasm said:
    This particular threat is easy to avoid.

    1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

    2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.
    Yes, I quite agree. But then again, if you open an incognito page in Chrome you are in dark mode. 

    So far as Zoom goes I never thought to run Zoom inside of Chrome. 

    But as an Apple aficionado, do remind yourself that Apple has a cohabitation with Google to the tune of $20 Billion. So that when you run an Apple search with an internet access you are going through Apple's/Google's Portal not some proprietary, indie thingamajig like DuckQuackDuack or Wolfram. Or worst yet, Bing :s Schming which is an ocean of garbage. 

    I wouldn't suggest that Google is spyware but more like a GIANT Cookie. But there are multiple ways to squelch that. Also Google Gmail is superb at squashing out spam. If you ever had the misery of using MS Outlook or Gosh  :D forbid Hotmail (yes, some folks still use that) you would know what I mean. 

    I recall the days before Gmail arrived on the scene in the early 2000s like most folks I used Hotmail. For every 20 emails, 18 were spam of the worst kind. A real clogged toilet. 

    So do give credit where it's use: Google~Gmail, Google~Search. Top Class. How they get their revenue? So that you don't pay for Gmail or Search? By surreptitiously marketing your info. Not happy, subscribe to Incogni they will wipe your data from all the many data brokers out there. 

     
    watto_cobradanoxappleinsideruser
     0Likes 3Dislikes 0Informatives
  • Reply 4 of 8
    killroykillroy Posts: 291member
    Pema said:
    chasm said:
    This particular threat is easy to avoid.

    1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

    2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.
    Yes, I quite agree. But then again, if you open an incognito page in Chrome you are in dark mode. 

    So far as Zoom goes I never thought to run Zoom inside of Chrome. 

    But as an Apple aficionado, do remind yourself that Apple has a cohabitation with Google to the tune of $20 Billion. So that when you run an Apple search with an internet access you are going through Apple's/Google's Portal not some proprietary, indie thingamajig like DuckQuackDuack or Wolfram. Or worst yet, Bing :s Schming which is an ocean of garbage. 

    I wouldn't suggest that Google is spyware but more like a GIANT Cookie. But there are multiple ways to squelch that. Also Google Gmail is superb at squashing out spam. If you ever had the misery of using MS Outlook or Gosh  :D forbid Hotmail (yes, some folks still use that) you would know what I mean. 

    I recall the days before Gmail arrived on the scene in the early 2000s like most folks I used Hotmail. For every 20 emails, 18 were spam of the worst kind. A real clogged toilet. 

    So do give credit where it's use: Google~Gmail, Google~Search. Top Class. How they get their revenue? So that you don't pay for Gmail or Search? By surreptitiously marketing your info. Not happy, subscribe to Incogni they will wipe your data from all the many data brokers out there. 

     
    All the crap I get is from gmail.
    watto_cobrarob53
     2Likes 0Dislikes 0Informatives
  • Reply 5 of 8

    Pema said:

    But as an Apple aficionado, do remind yourself that Apple has a cohabitation with Google to the tune of $20 Billion. So that when you run an Apple search with an internet access you are going through Apple's/Google's Portal not some proprietary, indie thingamajig like DuckQuackDuack or Wolfram. Or worst yet, Bing :s Schming which is an ocean of garbage. 
    DuckDuckGo’s search results (which is what I assume you mean by “DuckQuackDuack”) are mostly based on Bing. The “ocean of garbage” (as you say) is what DuckDuckGo uses.
    edited February 5
    watto_cobra
     1Like 0Dislikes 0Informatives
  • Reply 6 of 8
    chasm said:
    This particular threat is easy to avoid.

    1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

    2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.
    You say that (“easy to avoid”), but much of this threat involves social engineering. We’ve seen multibillion companies get hacked via social engineering. Heck, we’ve seen actual cybersecurity companies (whose whole purpose for existing is to stop hacks) get hacked via social engineering. If a cybersecurity professional can get tricked with some social engineering, then it can happen to any of us. Social engineering hacks NOT are easy to avoid. And it’s not going to get any easier to avoid in the future with the rise of deepfakes and the like.
    watto_cobradewmemacplusplus
     3Likes 0Dislikes 0Informatives
  • Reply 7 of 8
    danoxdanox Posts: 3,522member
    Using Chrome and Zoom is like getting CloudStriked two times in a row with a double helping of Intel on top don’t do it.
    edited February 5
     0Likes 0Dislikes 0Informatives
  • Reply 8 of 8
    rob53rob53 Posts: 3,332member
    chasm said:
    This particular threat is easy to avoid.

    1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

    2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.
    You say that (“easy to avoid”), but much of this threat involves social engineering. We’ve seen multibillion companies get hacked via social engineering. Heck, we’ve seen actual cybersecurity companies (whose whole purpose for existing is to stop hacks) get hacked via social engineering. If a cybersecurity professional can get tricked with some social engineering, then it can happen to any of us. Social engineering hacks NOT are easy to avoid. And it’s not going to get any easier to avoid in the future with the rise of deepfakes and the like.
    You're right about social engineering. I don't use gmail but I'd wish Apple would validate the From name with the actual email address and when it doesn't match, flag the email as possible spam or phishing. It's then up to the user to check the actual email address and verify who and where it's from. I have about 200 Mail rules checking emails, that's how bad it is. I stopped using Facebook because every time I use it, I start getting emails from eastern European girls. I also get a lot of subject lines that include #-signs, which some websites say is typical of spam.

    Of course, my new apartment complex uses the #-sign in front of my apartment number in the subject line, causing all their mail to go to Junk mail, then to Trash. When I sent them the website, they said that's normal but they'll try and not include it on my email. Read this article, which justifies my desire for Apple to be proactive: https://www.aura.com/learn/how-to-identify-phishing-emails

    example: "Elite Male Gummies" is from uivlis@evahuesca.com
     0Likes 0Dislikes 0Informatives
Sign In or Register to comment.