Caught in the contagious interview. [Research Saturday]

Dave Bittner

You're listening to the Cyberwire network, powered by N2K. And now a message from Blackcloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24 7, 365 with Black Cloak. Learn more at BlackCloak IO. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Phil Stokes

We were actually pivoting off some research that was published in early January on a website called DMP Dump. And they described a cross platform attack chain which had some macOS components, but they didn't fully analyze all of it. So we wanted to jump in there and see what else we could unearth.

Dave Bittner

That's Phil Stokes, threat researcher at SentinelOne's Sentinel Labs. The research we're discussing today is titled macOS Flexible Ferret, further variants of DPRK malware family unearthed. Well described. Who is, what exactly is Flexible Ferret?

Phil Stokes

So, yeah, there's a bit of context there. It's a little bit of a rabbit hole just to mix metaphors. But it starts with this campaign called Contagious Interview, which is a wider tactic of North Korean threat actors. They've been using the same tactic for a few years, but basically what they're doing is targeting employees or potential employees of businesses and in particular software developers through the job interview process. So basically what they're doing is engaging people across social media to take a job interview. And then as part of that interview, they kind of throw the whammy, oh look, you need to install this software. Or another lure might be. They might say, hey, we're interviewing you for a software developer's job. Run this software and tell us what you think or give us an analysis or some variation of this. Basically what's going on behind the scenes is they're running a first stage component to find out what OS the target is running. If it's a Mac, then they will deliver Mac specific components, which is what we call the Ferret malware. So the Ferret malware is basically a First stage Mac binary, usually a Mac app, in fact. Then we'll do something like install a Mac specific persistence agent and a Mac specific second stage, which is normally a backdoor. So that's the overall background of the Ferret family.

Dave Bittner

Are there any particular key technical characteristics of Flexible Ferret? Does it build upon previous DPRK linked malware?

Phil Stokes

Yeah, as I said, it's a bit of a rabbit hole because we actually see quite a few of the same artifacts used in different campaigns. So in Flexible Ferret, in fact, the second stage backdoor malware that Apple had written signatures for on the back of the research that came out in early January, there was a second stage backdoor, and that was actually turned out to be the same backdoor that we had seen in a previous campaign we'd written about near the end of last year called Hidden Risk, which, which is a campaign which doesn't target people through the job interview process, but is actually sending out phishing links to people interested in crypto or decentralized finance. And in that campaign, they were getting people to click on a link to open a PDF, and that was installing the same second stage malware that the Ferret malware is also using. So, yeah, there's a lot of connections across the artifacts, some of the code artifacts in different parts of these malware components. You know, we see them reused across campaigns.

Dave Bittner

Well, how does Flexible Ferret operate once it infects a Mac system?

Phil Stokes

Right. So in the case of Flexible Ferret, what you have is an installer package which is slightly different from the previous Ferret versions, which were getting users to run a shell script, which would then download some particular malicious components. In Flexible Ferret, what we see is an installer package. So the delivery mechanism was different, suggesting maybe alternative channels where attackers are finding victims that maybe are shy to running terminal commands, which you wouldn't think was developers normally, they're normally quite terminal savvy. So in this case, the Flexible Ferret was coming in a prepackaged installer and it would present a user interface to the victim, basically mimicking what Gatekeeper does when you try to run some application that is not properly code signed. So it just throw up this warning saying, oh, this program is damaged and can't be run. That's just a decoy. In fact, it is running behind the scenes. So that idea of that is to make the user just kind of go, oh, okay, this is no good. Move on, forget about it. But what's really going on is the persistence agent is being installed as a launch agent. And the second stage, go binary, is then being downloaded from a remote C2. They're also grabbing the user's password because the first stage will ask for elevated privileges, which is quite a common thing for installers to do. And what they do is they grab that password and they exfil it to a Dropbox URL. So yeah, it's very sneaky. Very sneaky.

Dave Bittner

Well, how do they bypass the built in security tools that are in macOS?

Phil Stokes

Right. So this is also interesting. One of the reasons we were kind of quick to push out the Flexible Ferret post is because the sample that we found was actually signed with a valid developer ID and had been notarized by Apple. So that would get them straight through Gatekeeper. You would. Normally, if Apple were aware of this malware and had written a Yara rule for it, you might get a detection in XProtect, which is their tool for blocking malware before it executes. But XProtect hasn't got a rule for this particular version. So Flexible Ferret is the version that doesn't have a rule in XProtect for it. Apple have, to their credit, already revoked that developer signature and that notarization ticket. In fact, that had happened before we ran our investigation. So we kind of assumed Apple would know about this because they obviously know the developer because they revoked a certificate, but they didn't actually add a signature in XProtect for it. So that was a concern, let's put it that way.

Dave Bittner

That's interesting. Help me understand. How does a group like this go about getting an authorized signature from Apple?

Phil Stokes

Yeah, that's a good question. So this isn't something that we've researched specifically. Other research into that has suggested a couple of ways. One is, look, you can just buy a signature for $99, right? So if you've stolen some credit card credentials or have some other way to, I mean, they do some basic payment checks, but if you have some way to pay for it, then you can do it that way. Another way is of course, through previous compromises of developers where they might just be stealing a developer signature. Right. Of a legit developer. So those are at least two of the ways. Some years ago I had seen websites or actually trading stolen or compromised developer signatures. So yeah, there's a few different ways that they go about it, but in this particular case I don't have insight into exactly who the developer signature was.

Dave Bittner

Is it fair to say that that's not a terribly difficult hurdle to get over?

Phil Stokes

Absolutely. I mean, a lot of malware families, a Lot of malware families are using developer signatures. What should be a bigger hurdle is notarization. This is where Apple are actually checking. Even if you've got an Apple developer id, they will still check your code to see if it's known malware. And this is what's called notarization. So it's kind of an extra check. But we've seen quite a lot of malware that's getting past notarization checks now, so this doesn't seem to be a particularly robust mechanism.

Dave Bittner

We'll be right back. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Deleteme. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Cyber threats are more sophisticated than ever passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today. Well, switching to attribution here, what led you all to attribute flexible ferret to North Korea?

Phil Stokes

Right, so part of that is because of the overlaps, as I spoke about earlier, with known North Korean actors, we actually found flexible ferret based off previously DPRK attributed malware and part of it is my colleague who helped co author the post, Tom Hagel. He did all the kind of infrastructure side. So I don't really get involved in the networking side, but Tom examined the infrastructure side and was able to link that to previously known DPRK infrastructure. So we were strong confidence that this is definitely the same threat actors.

Dave Bittner

I see. Well, and of course North Korea is generally known for either financially motivated attacks or espionage focused campaigns. Does this fit into one of their typical categories?

Phil Stokes

It does. And what's interesting actually is many of their campaigns are not one or the other. They're kind of both at the same time. Right. So they're often looking to backdoor people who are either already employees or are potential employees of organizations. And they might do some financial theft on the side, maybe steal some crypto wallets like a lot of their other malware. As usually we see some kind of wallet stealing components as well as a backdoor. Now in this case, we think that the second stage backdoor was the same go binary that we had seen in the Hidden Risk campaign based on various artifacts. But we weren't actually able to source it from the C2. It was already shut down. So whether there was further variation there or not sort of remains to be seen.

Dave Bittner

How would you rate the sophistication of this group? I mean, is this something that everyday users should worry about or does it seem like they're targeting high value people?

Phil Stokes

So in terms of targeting, it's very specific to this particular campaign is very specific. They're going after software developers, but that's a pretty wide group of people. In terms of sophistication, the malware isn't that sophisticated. The thing is, it doesn't need to be that sophisticated to work. This is maybe one of the things that might surprise some people, but in this particular group aren't really concerned with stealth. So there's no obfuscation in any of this malware. It's very easy to analyze. They're not bothered about burning the particular malware that they use on any given compromise. And I think this is also why we found this variant on the back of previous research only three, four weeks ago. And I would not be surprised if we or other researchers find another variant in a couple of weeks or sooner because they're rapidly iterating. They're quite happy just to burn these malwares and write new ones.

Dave Bittner

Yeah, that's interesting. I think there's still that perception that macOS is safer than Windows when it comes to to these sorts of things. Do you think that's still true or are we seeing more and more of these kind of targeted threats?

Phil Stokes

I'm not sure that it's ever been true. I think I've been a Mac user for all of my computing life. In one way. I don't know much about Windows personally because I don't use it. But of course I'm in the security industry and I know that Windows has vastly more numerically more threats. It has different kind of threats. So you worry a lot more about remote code code execution. With various Windows components if they're exposed to the Internet, it's easy to get in. You don't have that kind of issue with Macs, but with all computer systems, it's an old adage, the weakest link is the person on the keyboard. Right. What you have with Macs I think is a history, a legacy of not worrying so much about security because everybody was attacking Windows because it was easy, because Macs weren't traditionally big in the enterprise, so they weren't high value targets. So that's completely different now. Right. So almost every organization is using Macs now. They're also used by high value targets like developers, like C suite folks. And I think there's this sort of hangover from the fact that Macs haven't suffered traditionally as much targeting as Windows machines that people kind of think, okay, I'm on a Mac, I must be good, Apple will take care of it. But look, Macs, it doesn't really matter what OS you're on, whether it's Mac, Windows, Linux, whether you're running code in containers or storing data there, whether you're as an organization, you need to have protection for wherever you are running your code or storing your data. Because one of the trends that we see increasingly over the last two years is that campaigns are cross platform from the off. It's not like the Mac thing is an afterthought or it's a separate thing. And it's the same with the Ferret malware. The campaign starts off with some kind of stage one that says, okay, what kind of an OS am I running on? And once it's figured that out, it'll deliver the appropriate second stage. The key to all of it is getting that user to execute the first stage. And that's a social engineering obstacle. It's not an OS obstacle. It doesn't matter whether you're Windows or Mac. Right?

Dave Bittner

Yeah. I mean, it's fair to say that if I can convince you to download and install something, that's kind of the ball game.

Phil Stokes

Absolutely. This is true.

Dave Bittner

Yeah. Well, what do you hope that people get out of the research here? Are there any particular lessons learned or tips and tricks that you want people to take away from it?

Phil Stokes

Sure. Look, you know, there's a few things I think for organizations and for users to, to think about not just with this research but also I think one of the things that if any, for anybody following security issues, one of the things you'll notice is that macOS compromise research is about macOS malware is becoming more frequent, you're seeing more of it. Right. And this kind of goes back to partly what I said earlier about, you know, make sure you're covering all your OSes, that there's no first or second class citizen in security. The second thing is don't rely on the OS vendors. And I'm not just talking about Apple. It doesn't matter whether it's Red Hat or Windows, Microsoft, sorry, don't rely on the OS vendors for security. And I'm not trying to shill for my company in particular. Use whatever makes sense in your organization. But OS vendors, their primary business isn't security, it's stability. Right. So they have this massive burden to avoid false positives in whatever kind of security mechanisms they deploy. So of course that's also true of dedicated security vendors but for OS vendors because they're shipping to exponentially larger number of devices and they have little to zero visibility into how those devices are being used in an org, what environment they're in. It just makes it magnitudes harder for them to reliably flag up emerging threats. You should think of whatever OS security mechanisms come in as kind of like that's your base level, that's where you start. But if you're an organization, absolutely, that is not where you need to end. So that's one message. Another one is protect your developers. About this research in particular, it's focused on trying to. The campaign is focused on trying to compromise developers. And they're the gateway into not just the organization they work for, but any organization that uses software they're developing. So their high value targets, they are sometimes harder to protect. Can I say it that way? Because they have complex needs, they're in complex environments environments, security software sometimes is a pain for them. So there's a.

Dave Bittner

They do think highly of themselves, right?

Phil Stokes

Well I got a lot of friends who are developers, so I'm not going down that road.

Dave Bittner

I'll take that bullet for you, my friend.

Phil Stokes

But yeah, it's a conversation orgs need to have with their devs to make sure you're a target, right? You're as big a target as probably anyone in the organization. So, yeah, and on top of that, I think just going back to where we're talking about it, it's a social engineering challenge rather than an OS challenge in terms of stopping those first stages. The best advice you'll hear on security, you can hear it from Apple all the way back in 2007 when they released OS 10.5 LEOP. That was when they introduced their file. Their first major security technology was file quarantine, which later became known as Gatekeeper. And they said in their docs all the way back then that where you get a file from is the most important indicator of whether something is malicious or legit. And I think whether you're an org or you're just a user at home, that that's the key takeaway. It remains true today the origin or provenance of anything a user is going to execute on their machine. It needs to be established that it's safe before you do it. And it's not easy. It's sometimes very difficult. But basically, if someone from outside your org is asking you to execute some software inside your org, then that's a security issue right away. It's running in a vm. Pass it on to your IT team. If you don't have those resources, just turn around to whoever's asking this request and say, well, I need to do some security check first and see how they react, because they will get itchy and tetchy about that kind of pushback. And that's a red flag straight away. So, yeah, executing code from an unknown origin is how infections happen.

Dave Bittner

Our thanks to Phil Stokes from Sentinel One's Sentinel Labs for joining us. The research is titled macOS Flexible Ferret, further variants of DPRK malware family unearthed. We'll have a link in the Show Notes. That's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester, our executive producers Jennifer Iban. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.