Infosecurity Magazine reports that the North Korea-linked FlexibleFerret macOS malware had its attack chain revamped to enable increased stealth and long-term persistence in targeted systems as part of a Contagious Interview campaign.More recent FlexibleFerret intrusions involved the deployment of a second-stage shell script that fetched an archive with the next-stage loader, which has been executed at login after LaunchAgent writing, according to an analysis from Jamf Threat Labs.A decoy app mimicking Chrome permission prompts was then opened to facilitate credential exfiltration to a Dropbox account before the deployment of the nefarious Go-based CDrivers backdoor, which allowed system data gathering, file uploads and downloads, Chrome profile data extraction, shell command execution, and automated credential pilfering, noted researchers, who added that FlexibleFerret also avoided disruption by using a system-information command upon the occurrence of an error."Organizations should treat unsolicited 'interview' assessments and Terminal-based 'fix' instructions as high-risk, and ensure users know to stop and report these prompts rather than follow them," said researchers.
