As soon as the victim clicks on the action prompt, the executed binary (usually the JavaScript-based “BeaverTail” malware) runs a malicious shell script that installs a persistence agent in the local system, along with an executable posing as a Google Chrome update (labeled ChromeUpdate) which in reality is a Golang backdoor and stealer.
The Ferret malware is specifically designed for macOS systems, with variants targeted at macOS’s user interface (FROSTYFERRET_UI), security daemon (FRIENDLYFERRET_SECD), and command codes within the macOS environment (MULTI_FROSTYFERRET_CMDCODES).
In a comment to CSO, Boris Cipot, a senior security engineer at Black Duck, said, “There are different threat actor groups that are interested in MacOS, most prominent being the groups from North Korea, China, and Russia. What we can see is that the newest campaign is a further evolution of the FERRET malware family as these threat actors are trying to fine-tune their techniques of bypassing security measures.”