North Korean Malware Targets MacOS Devices

Researchers detailed a new macOS malware sample, which they called FlexibleFerret, that is part of a slew of other North Korean-linked macOS variants identified over the past few months.

Key Details:

• SentinelOne’s SentinelLabs researchers warned that “FlexibleFerret” malware samples remain undetected by Apple’s on-device malware tool, XProtect

• The malware is an expanded variant of samples previously identified in a North Korean campaign that started in November 2023, where threat actors convinced targets to install malware using a job interview lure

• The malware was signed with a valid Apple Developer signature and Team ID, and was distributed through an Apple Installer package that acted as a dropper

The Background: In 2023, researchers with Palo Alto Networks Unit 42 team discovered a campaign linked (with moderate confidence) to North Korean actors, where threat actors posed as employers and tricked software developers into installing malware during the job interview process. At the time, researchers highlighted two new malware families, which targeted Windows, Linux and macOS platforms, and were distributed during this campaign.

Fast forward to December 2024 and January 2025, researchers uncovered a number of new macOS variants that were also distributed as part of the still-ongoing North Korean campaign. While Apple pushed a signature update to XProtect last week in order to block several of these malware variants, SentinelLabs said that the newer FlexibleFerret samples remain undetected.

Why It Matters: SentinelLabs researchers said that the North Korean campaign and related malware family “represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required.” 

“Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appears to be more ‘scatter gun’ approaches via social media and code sharing sites like Github,” they said.

Malware Deep Dive: The malware used several detection evasion and persistence tactics, including executing the InstallerAlert.app to trick the user into thinking it was a legitimate application that failed to run by showing an error alert (“This file is damaged and cannot be opened”) that mimicked the warning message from Apple’s Gatekeeper security technology. The malware also leveraged a LaunchAgent component for persistence. 

“The LaunchAgent targets a further executable at the path /private/var/tmp/logd, again masquerading as a legitimate part of the OS (logd is part of the unified logging system but does not have a component at that path),” said researchers. “At the time of writing, we were not able to obtain a copy of this file, which appears to be received from the currently non-responding C2.”