New macOS malware chain could cause a major security headache - here's what we know

News
By published

North Korean hackers are targeting macOS devs now

Dark web monitoring
(Image credit: Adobe)
  • Jamf reports North Korean actors using fake job ads and ClickFix tactics to target macOS users
  • Victims are tricked into running curl commands in Terminal, installing FlexibleFerret backdoor malware
  • The campaign, dubbed Contagious Interview, enables credential theft, file exfiltration, and system compromise

North Korean state-sponsored threat actors are targeting macOS users with new malware, utilizing a strategy that combines two popular approaches - fake job ads, and ClickFix, experts have warned.

Security researchers Jamf confirmed they have spotted attacks in the wild using ClickFix, an attack method in which the victim is presented with a fake problem, and at the same time, presented with a fix. It is an evolution of the old “You have a virus” popup that dominated the internet in the early 2000’s.

Jamf says ‘DPRK-aligned operators’ from the FlexibleFerret malware family have been creating fake companies, fake LinkedIn profiles and, most importantly - fake job ads, as part of a wider campaign called Contagious Interview.

Aura Family
$60 off
Save 75%
Aura Family: was $80 now $20 at Aura Inc

Aura can protect your family with a plethora of features: Password Manager, ID theft protection, Antivirus, VPN, Parental Control and much more for just $20 per month!

View Deal

Curl commands and fake fixes

Victims, mostly software developers, would either discover these websites and job ads by themselves, or would be invited for interviews via LinkedIn.

After jumping through multiple loops, the victims would then be asked to record a video of themselves through the employer’s platform, but if they would try to do so, the platform would tell them that their camera isn’t working properly.

They would then be presented with a fix - a curl command to be entered into Terminal - which doesn’t fix the problem but rather introduces malware to the system.

This malware, essentially a backdoor, does a couple of things - generates a short machine identifier, checks for duplicates, and then pulls additional commands from a hard-coded command server.

Those commands include collecting system information, uploading or downloading files, executing shell commands, pulling Chrome profile data, or triggering an automated credential theft.

“Organizations should treat unsolicited ‘interview’ assessments and Terminal-based ‘fix’ instructions as high-risk, and ensure users know to stop and report these prompts rather than follow them,” the researchers concluded.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.