FlexibleFerret Malware Strikes macOS With Go Backdoor
▼ Summary
– A new macOS malware chain bypasses security safeguards using staged scripts, credential-harvesting decoys, and a persistent Go-based backdoor to maintain long-term system access.
– The malware uses a second-stage shell script that fetches different payloads based on whether the system has an arm64 or Intel chip and establishes persistence via a LaunchAgent.
– A decoy application mimics Chrome permission prompts to steal credentials, which are exfiltrated to Dropbox using fragmented strings and the legitimate API to avoid detection.
– A Go-based backdoor named CDrivers connects to a command server, collects system data, executes commands, and handles errors by pausing before resuming to ensure continuous operation.
– Jamf attributes the campaign to FlexibleFerret operators and advises treating unsolicited interviews or Terminal-based fixes as high-risk to prevent users from manually running malicious scripts.
A sophisticated new malware campaign targeting macOS systems employs a multi-stage attack chain to bypass security measures, deploy a persistent backdoor, and steal sensitive user credentials. Dubbed FlexibleFerret, this threat leverages staged scripts, deceptive applications, and a powerful Go-based backdoor to maintain long-term control over infected devices.
Security analysts at Jamf Threat Labs recently detailed the attack sequence, which begins with a shell script that determines the system architecture, whether it uses Apple silicon or an Intel processor, and downloads tailored payloads accordingly. This script retrieves an archive file, extracts its contents into a temporary folder, and quietly launches the next component in the background. To ensure it survives system reboots, the malware installs a LaunchAgent that reactivates the loader every time the user logs in.
As part of its deceptive strategy, the script opens a fake application that mimics Google Chrome’s permission interface. This bogus program eventually displays a password window nearly identical to Chrome’s, tricking users into entering their credentials, which are then harvested by the attacker.
Stolen passwords are sent to a Dropbox account using a clever evasion method: the malware constructs the Dropbox host address by assembling small string fragments, then uses the legitimate Dropbox upload API to transfer the data. It also contacts api.ipify.org to collect the victim’s public IP address, adding another layer of reconnaissance.
In the third stage, a loader script launches a malicious Go-based tool known as CDrivers. This backdoor generates a short machine ID, checks whether the system has already been compromised, and then connects to a predefined command-and-control server. Once it’s running, it enters a continuous command loop that can execute a wide range of harmful tasks, including collecting detailed system information.
To stay operational, the malware includes a built-in recovery routine. If an error disrupts its process, it collects system information again, pauses for five minutes, and then resumes its activity. This design helps the attack continue even when parts of the chain break.
Jamf attributes this campaign to the FlexibleFerret group, known for refining their social-engineering hooks. Their tactics often involve fake “technical interviews” or bogus “system fix” instructions that pressure users into running Terminal commands manually.
Organizations should treat unexpected interview invitations or troubleshooting steps that require Terminal access as high-risk scenarios. Training users to flag and report these prompts, rather than executing them, significantly reduces the chance of infection.
(Source: Info Security)
