
A sophisticated North Korean hacking campaign, known as Contagious Interview, has been discovered delivering FERRET malware to Apple macOS users through deceptive job interview processes. Security researchers at SentinelOne have uncovered this latest development in the ongoing cyber threat.
The attack begins when targets are approached on LinkedIn by fake recruiters requesting video assessments. Users are directed to links that generate error messages, prompting them to install supposedly required software like VCam or CameraAccess for virtual meetings.
The campaign, also known as DeceptiveDevelopment and DEV#POPPER, utilizes multiple malware components:
– BeaverTail: A JavaScript-based malware that harvests data from browsers and crypto wallets
– InvisibleFerret: A Python backdoor
– OtterCookie: Additional malware component identified by NTT Security Holdings
– FERRET family: Including FRIENDLYFERRET, FROSTYFERRET_UI, and FlexibleFerret
The attackers employ various distribution methods:
– Fake npm packages
– Malicious GitHub repository issues
– Terminal command execution tricks
– Bogus software updates
The primary objectives include:
– Stealing cryptocurrency from MetaMask Wallets
– Executing remote commands
– Establishing persistent system access
– Data exfiltration
Recent developments show the group expanding beyond job seekers to target developers, with a malicious npm package named postcss-optimizer remaining active in the registry. This campaign demonstrates the evolving sophistication of North Korean cyber operations and their continued focus on cryptocurrency theft and system infiltration.