A new report from cybersecurity firm SentinelOne has revealed that North Korean threat actors responsible for the ‘Contagious Interview’ campaign have been observed deploying a collection of Apple macOS malware strains, dubbed FERRET, through a deceptive job interview process. The attack method, which targets both job seekers and unsuspecting individuals, is designed to compromise devices and harvest sensitive data.
First uncovered in late 2023, the Contagious Interview campaign, also tracked as DeceptiveDevelopment and DEV#POPPER, has since evolved into a persistent and sophisticated operation by North Korean hackers to infect victims using fake job interviews.
According to the researchers, potential targets are lured into the trap by receiving a link to communicate with an ‘interviewer’ via video call. However, when clicking on the link, the victim is met with an error message, followed by a request to install or update necessary software such as VCam or CameraAccess for a supposed virtual meeting.
The malicious installations are designed to distribute various forms of malware, including a JavaScript-based strain known as BeaverTail capable of harvesting sensitive data such as browser activity, cookies, and even crypto wallet information. However, the malware serves as a tool facilitating the delivery of a Python backdoor called InvisibleFerret. This malware is capable of enabling persistent access to infected systems, allowing the threat actors to control compromised devices remotely.
In addition to BeaverTail and InvisibleFerret, recent findings by Japanese cybersecurity firm NTT Security Holdings have revealed that the JavaScript-based malware also fetches and executes another malware variant called OtterCookie.
“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required. Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appears to be more ‘scatter gun’ approaches via social media and code sharing sites like Github,” the report concludes.