A newly identified macOS malware campaign is targeting users by disguising itself as legitimate Chrome and Zoom installers. Security researchers from SentinelLabs discovered that the malware, named FlexibleFerret, is designed to infiltrate Mac systems through social engineering tactics. The campaign is part of a broader cyberattack strategy known as Contagious Interview, in which hackers pose as recruiters offering fake job opportunities to lure victims.
How the Malware Works
FlexibleFerret primarily spreads through fake software downloads. Attackers trick users into installing seemingly legitimate apps, such as VCam or CameraAccess, by displaying error messages during a fraudulent job application process. Once a user downloads and runs the installer, the malware quietly installs itself in the background.
According to researchers, the malware operates through multiple components, including versus.pkg, a package containing several hidden files. These include InstallerAlert.app, versus.app, and a disguised binary labeled zoom, all working together to steal sensitive user data.
Once installed, FlexibleFerret gains persistence on the system by adding a launch agent, ensuring it remains active even after a system reboot. It communicates with a command-and-control (C2) server via Dropbox, allowing attackers to exfiltrate user data without detection.
Apple’s Response and Security Measures
Apple has responded to the threat by updating XProtect, macOS’s built-in malware detection system. The update includes new security signatures to block several FlexibleFerret variants, including FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.
However, researchers warn that while Apple has blocked some versions of the malware, newer strains remain undetected. This highlights the ever-evolving nature of macOS threats and the need for additional security measures beyond Apple’s built-in protections.
Protecting Your Mac from Malware
Mac users should remain vigilant when downloading software, especially from unknown sources. Here are some best practices to protect against threats like FlexibleFerret:
- Download software only from official sources, such as the Mac App Store or verified vendor websites.
- Avoid clicking on unsolicited job offers that require software downloads.
- Check app signatures and notarization status before installing third-party software.
- Use additional endpoint security tools like Malwarebytes, Sophos Home, or CleanMyMac X for enhanced protection.
- Keep macOS updated to ensure the latest security patches are applied.
While Apple’s security updates provide a strong first line of defense, users must remain cautious and proactive in securing their devices. As cybercriminals continue to refine their tactics, staying informed and adopting best security practices is essential for keeping personal data safe.
