Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New macOS malware disguises itself as Chrome & Zoom installers

North Korean hackers are using fake job offers and disguised app updates to sneak malware onto Macs, and while Apple's latest XProtect update blocks some threats, others are still slipping through.

Security researchers from SentinelLabs have identified fresh variants of a North Korean malware family, dubbed "FlexibleFerret," which is actively exploiting macOS users. The malware is part of a broader campaign known as "Contagious Interview," where attackers pose as recruiters to trick job seekers into installing malicious software.

Apple responded with an XProtect signature update to counter these threats, blocking several variants, including FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.

XProtect is Apple's built-in malware detection and removal tool for macOS, designed to identify and block known malicious software. It runs silently in the background, using regularly updated security signatures to detect threats when files are downloaded or executed.

Unlike traditional antivirus software, XProtect operates at the system level with minimal user interaction, automatically protecting Macs without requiring manual scans.

Code and metadata related to a computer virus, showing submission dates, threat categories, tags, and YARA rule identifiers, with details in a format resembling a terminal interface. Some malware components found in FlexibleFerret share similarities with the Stage 2 payloads used in North Korea's Hidden Risk campaign. Image credit: SentinelOne

The malware campaign has evolved from earlier DPRK-attributed threats discovered in December and January. Attackers are using deceptive tactics such as fake Chrome updates and disguised Zoom installers to infect macOS systems.

The malware's persistence mechanisms and data exfiltration methods indicate a well-funded, state-backed operation.

How the malware spreads

The FlexibleFerret malware primarily spreads through social engineering. Victims are tricked into downloading a seemingly legitimate app, such as VCam or CameraAccess, after encountering an error message during a fake job interview.

In reality, these apps install a malicious persistence agent that runs in the background, stealing sensitive data. One identified package, versus.pkg, contains multiple malicious components, including InstallerAlert.app, versus.app, and a rogue binary named zoom.

Once executed, the malware installs a launch agent to maintain persistence and communicates with a command-and-control server via Dropbox.

A file directory listing with filenames, sizes, owners, groups, permissions, and modification dates, displayed in a tree structure. File contents of the FlexibleFerret dropper, versus.pkg. Image credit: SentinelOne

Apple's latest XProtect update blocks key malware components disguised as macOS system files, including com.apple.secd. However, some FlexibleFerret variants remain undetected, highlighting the evolving nature of these threats.

Protecting your Mac

Mac users should be cautious when downloading software from untrusted sources and skeptical of unexpected software installation prompts. Apple's built-in security measures provide a first line of defense, but additional endpoint security solutions can help detect and block emerging threats.

Tools like Malwarebytes, Sophos Home, and CleanMyMac X offer extra layers of protection against cyber attacks.



8 Comments

zeus423 20 Years · 280 comments

Some people say Chrome is malware

5 Likes · 0 Dislikes
chasm 11 Years · 3679 comments

This particular threat is easy to avoid.

1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.

3 Likes · 1 Dislike
Pema 3 Years · 208 comments

chasm said:
This particular threat is easy to avoid.
1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.

Yes, I quite agree. But then again, if you open an incognito page in Chrome you are in dark mode. 

So far as Zoom goes I never thought to run Zoom inside of Chrome. 

But as an Apple aficionado, do remind yourself that Apple has a cohabitation with Google to the tune of $20 Billion. So that when you run an Apple search with an internet access you are going through Apple's/Google's Portal not some proprietary, indie thingamajig like DuckQuackDuack or Wolfram. Or worst yet, Bing :s Schming which is an ocean of garbage. 

I wouldn't suggest that Google is spyware but more like a GIANT Cookie. But there are multiple ways to squelch that. Also Google Gmail is superb at squashing out spam. If you ever had the misery of using MS Outlook or Gosh  :D forbid Hotmail (yes, some folks still use that) you would know what I mean. 

I recall the days before Gmail arrived on the scene in the early 2000s like most folks I used Hotmail. For every 20 emails, 18 were spam of the worst kind. A real clogged toilet. 

So do give credit where it's use: Google~Gmail, Google~Search. Top Class. How they get their revenue? So that you don't pay for Gmail or Search? By surreptitiously marketing your info. Not happy, subscribe to Incogni they will wipe your data from all the many data brokers out there. 

 

0 Likes · 3 Dislikes
killroy 18 Years · 291 comments

Pema said:
chasm said:
This particular threat is easy to avoid.
1. No self-respecting Apple user should be using Google's spyware Chrome to do anything.

2. If you need a Zoom client, get it from zoom.us (that's the official website). Nowhere else.
Yes, I quite agree. But then again, if you open an incognito page in Chrome you are in dark mode. 

So far as Zoom goes I never thought to run Zoom inside of Chrome. 

But as an Apple aficionado, do remind yourself that Apple has a cohabitation with Google to the tune of $20 Billion. So that when you run an Apple search with an internet access you are going through Apple's/Google's Portal not some proprietary, indie thingamajig like DuckQuackDuack or Wolfram. Or worst yet, Bing :s Schming which is an ocean of garbage. 

I wouldn't suggest that Google is spyware but more like a GIANT Cookie. But there are multiple ways to squelch that. Also Google Gmail is superb at squashing out spam. If you ever had the misery of using MS Outlook or Gosh  :D forbid Hotmail (yes, some folks still use that) you would know what I mean. 

I recall the days before Gmail arrived on the scene in the early 2000s like most folks I used Hotmail. For every 20 emails, 18 were spam of the worst kind. A real clogged toilet. 

So do give credit where it's use: Google~Gmail, Google~Search. Top Class. How they get their revenue? So that you don't pay for Gmail or Search? By surreptitiously marketing your info. Not happy, subscribe to Incogni they will wipe your data from all the many data brokers out there. 

 

All the crap I get is from gmail.

2 Likes · 0 Dislikes
SuntanIronMan New User · 34 comments


Pema said:

But as an Apple aficionado, do remind yourself that Apple has a cohabitation with Google to the tune of $20 Billion. So that when you run an Apple search with an internet access you are going through Apple's/Google's Portal not some proprietary, indie thingamajig like DuckQuackDuack or Wolfram. Or worst yet, Bing :s Schming which is an ocean of garbage. 
DuckDuckGo’s search results (which is what I assume you mean by “DuckQuackDuack”) are mostly based on Bing. The “ocean of garbage” (as you say) is what DuckDuckGo uses.

1 Like · 0 Dislikes