Full Report
The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process. "Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or
Analysis Summary
# Threat Actor: North Korean Threat Actors (Associated with Contagious Interview campaign)
## Attribution & Identity
* **Attribution:** North Korean threat actors.
* **Known Aliases and Associated Groups:** Contagious Interview, DeceptiveDevelopment, DEV\#POPPER.
* **Related Activity:** The article mentions activity aligned with APT37 (ScarCruft) but the primary focus is on the group deploying the FERRET malware family.
## Activity Summary
The actor is conducting persistent operations, primarily under the name "Contagious Interview," targeting individuals through deceptive job interview processes.
* **Job Lures:** Targets are approached on LinkedIn posing as recruiters and directed to "video assessments" via links that prompt users to install/update required software like VCam or CameraAccess.
* **macOS Targeting (ClickFix Style):** A ClickFix-style approach is used to trick macOS users into copying and executing malicious commands in the Terminal to fix camera/microphone access issues, leading to malware installation.
* **Supply Chain Involvement:** The actor has diversified their vector to include malicious npm packages (e.g., `postcss-optimizer`) and opening fake issues on legitimate GitHub repositories, expanding targeting beyond job seekers to developers generally.
## Tactics, Techniques & Procedures
- **Social Engineering:** Impersonating recruiters via LinkedIn for job opportunities.
- **Deceptive Installation:** Using error messages/update prompts for required virtual meeting software (VCam, CameraAccess) to trick users.
* **Code Execution:** Trick users into executing malicious commands via the macOS Terminal.
* **Persistence Mechanism:** Establishing persistence on macOS systems using a `LaunchAgent`.
* **Initial Access/Delivery:** Bogus npm packages, native apps masquerading as videoconferencing software, and fake GitHub issues.
## Targeting
* **Sectors:** Developers (general), Prospective Job Seekers (initial focus).
* **Geography:** Not explicitly detailed, but the focus on macOS malware and specific campaigns implies global reach targeting individuals using these platforms.
* **Victims:** Individuals participating in purported job interviews; developers using popular software development platforms (npm, GitHub).
## Tools & Infrastructure
* **Malware Families:**
* **FERRET family:** (Including FRIENDLYFERRET, FROSTYFERRET\_UI, FlexibleFerret).
* **BeaverTail:** JavaScript-based malware capable of harvesting browser/crypto wallet data.
* **InvisibleFerret:** Python backdoor delivered by BeaverTail.
* **OtterCookie:** Additional JavaScript malware fetched by BeaverTail.
* **Golang-based backdoor and stealer:** Designed to drain MetaMask Wallets and execute commands.
* **Infrastructure:** At least one C2 server associated with the FlexibleFerret component was observed and is no longer responsive (defanged).
* **Delivery Vectors:** Malicious npm package (`postcss-optimizer`).
## Implications
The actors demonstrate an active evolution of their macOS malware arsenal (FERRET family) and a diversification of attack vectors, moving from highly targeted job scams to broader supply chain compromises targeting developers using platforms like npm and GitHub. Their objective includes credential theft, data exfiltration, and establishing persistent access, particularly targeting cryptocurrency assets (MetaMask).
## Mitigations
- Exercise extreme caution with unsolicited job offers requiring remote software installation or execution of privileged commands (Terminal commands).
- Thoroughly vet required software installations, especially those related to access/camera/microphone functionality for virtual meetings.
- Review dependencies and packages from public repositories like npm before integrating them into development environments.
- Implement strong endpoint detection and response (EDR) specifically tuned for macOS threats, watching for unusual LaunchAgent creation or Terminal command execution chained from unusual sources.