CTI Roundup: Ferret Malware, macOS Stealers, and MS Power BI

In this week’s roundup, CTI examines how North Korean threat actors are targeting job seekers with a macOS malware strain called Ferret. Next, CTI investigates a recent uptick in the number of attacks targeting macOS users. CTI also looks at a phishing campaign that uses SharePoint links to direct victims to a legitimate Power BI report.

North Korean hackers target job seekers with Ferret malware

North Korean threat actors are now delivering a macOS malware strain called Ferret as part of a fake job interview process.

While Apple has pushed signature updates to protect end-users against Ferret malware, researchers at SentinelOne recently discovered some samples, dubbed FlexibleFerret, which remain undetected by Apple’s on-device malware tool XProtect.

Ferret malware family background

Several past reports from various researchers have shared details of malware components from the Contagious Interview campaign. In that campaign, victims communicate with someone they think is an interviewer for a job and are asked to install software for a virtual meeting or other necessary components for the interview process.

Apple recently released a key update for XProtect to target specific malware components, including a backdoor posing as an OS file and two persistence modules linked to the Ferret family.

What is FlexibleFerret?

As noted above, SentinelOne has identified new samples of the Ferret malware family, which they are calling FlexibleFerret.

Researchers originally discovered these additional samples after pivoting from other Ferret malware components. The dropper they discovered is an Apple Installer package containing two applications, a standalone binary, and a script.

How does FlexibleFerret work?

SentinelOne determined that the installer package will use the script to drop and execute additional components after obtaining the necessary elevated privileges, logging its actions in a log file.

The binary within the package will contact a phishing domain while the script executes one of the contained applications.

This application will throw an error message to the victim to trick them into believing the process is carrying on as genuine. Meanwhile, the malware establishes persistence in the background.

FlexibleFerret and ChromeUpdate

The newly discovered Ferret components are linked to Apple’s latest Ferret rules. The binary itself shows 86% similarity to the ChromeUpdate binary and contains strings that are nearly identical.

According to SentinelOne, XProtect does not currently recognize the binaries in the malicious installer package as malware.

What is the Contagious Interview campaign?

FlexibleFerret is part of the ongoing Contagious Interview campaign, which has been running since at least 2023.

This campaign primarily targets job-seeking developers and often instructs fake applicants to download malware-laden components needed for an interview.

In one notable case, a threat actor expanded its focus to target GitHub users rather than just job seekers, as determined by SentinelOne.

[Read also: Hiring remote IT workers? Beware the deepfake frauds]

Analyst comments from Tanium’s Cyber Threat Intelligence team

SentinelOne’s report offers key insights into an ongoing campaign where North Korean actors are posing as job recruiters.

The new Ferret malware suggests that these actors continue to develop tools to enhance the campaign, while the targeting of generic GitHub users indicates that the actors may be expanding their reach beyond job applicants.

macOS users face a growing threat from infostealers

Palo Alto is seeing a rise in attacks targeting macOS users with its telemetry showing a 101% increase in macOS infostealers during the last two quarters of 2024. Additionally, it identified the three most prevalent macOS infostealers as Poseidon, Atomic, and Cthulhu.

Top three infostealers targeting macOS

1. Atomic Stealer (AMOS) has been around since at least 2023 and is available on underground forums as malware-as-a-service (MaaS). Several versions have been active since its emergence, with earlier iterations developed in Go and more recent ones written in C++.
   
   Regardless of the version, many AMOS operators distribute it via malvertising to steal notes and documents, browser data, cryptocurrency wallets, and instant messaging data.
2. Poseidon Stealer has been advertised in cybercriminal forums by someone with an alias of Rodrigo4 who supposedly also use to code for AMOS. Palo Alto notes that the Poseidon MaaS was sold last summer to an unknown source, though the malware has continued to be active in the wild.
   
   This infostealer is frequently delivered through trojanized installers that imitate legitimate software and applications. These installers are often distributed via malicious Google ads or emails and include an encoded AppleScript file to deploy the malware.
   
   According to Palo Alto, Poseidon can execute a variety of tasks, such as gathering system information, stealing browser data and cryptocurrency wallets, and harvesting passwords from password managers.

[Read also: The new thinking on password security might surprise you]

3. Cthulhu Stealer is also sold as a MaaS offering. This infostealer is often delivered via malicious application installers. These installers present the victim with a dialog box instructing them to enter a password to update system settings.
   
   This infostealer targets a much broader range of information, including FileZilla configuration files, note files, specific file extensions, browser data, and more.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Over the last few years, the number of macOS-focused threats, including ransomware, vulnerabilities, and infostealers, has significantly risen.

This increase could be due to the widespread adoption of macOS devices. However, it could also simply be that threat actors are looking for areas with less competition. After all, the cybercriminal world is increasingly operating like a business.

Palo Alto’s research offers valuable insights into three specific macOS infostealers that can lead to further malicious activities.

Threat actors leverage MS Power BI in phishing campaign

Cofense observed a phishing campaign that uses SharePoint links to direct victims to an authentic Power BI report, urging them to click a link to “open document,” leading them to the actual phishing page.

What does the MS Power BI phishing email look like?

The phishing emails in this campaign use a subject line related to payment confirmations to create a sense of urgency and trigger an impulse click. Each email also contains familiar branding and formatting to trick victims into believing it is a legitimate SharePoint file.

[Read also: What is social engineering in cybersecurity? A comprehensive guide]

What happens when you click the Power BI link?

If the victim clicks on the “open” link in the email, they will be directed to a genuine Power BI link.

According to Cofense, using actual Power BI links increases the likelihood that these emails will circumvent secure email gateways and more easily persuade victims to believe their actions are legitimate.

Cofense mentions that the first sign that something is wrong is when the victim is asked to click a button that says, “Open Document.” This button leads to the true phishing page.

How does the phishing page work?

The phishing page is a typical Microsoft sign-in page that asks for a username and password. The only red flag on the page itself is the URL, which is very clearly not the legitimate Microsoft URL.

Cofense also notes that this request for credentials to access a shared document is unusual and may suggest a potential problem.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This phishing campaign is a great example of how threat actors often exploit trusted tools, especially those used in the workplace.

Since these phishing emails include legitimate Power BI links, the traditional employee cybersecurity training to hover over and identify suspicious links would not work in this case.

These types of phishing emails require targeted victims to notice additional red flags (e.g., not expecting to receive an email) to recognize them as phishing attempts.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.