- Jamf reports North Korean actors using fake job ads and ClickFix tactics to target macOS users
- Victims are tricked into running curl commands in Terminal, installing FlexibleFerret backdoor malware
- The campaign, dubbed Contagious Interview, enables credential theft, file exfiltration, and system compromise
North Korean state-sponsored threat actors are targeting macOS users with new malware, utilizing a strategy that combines two popular approaches – fake job ads, and ClickFix, experts have warned.
Security researchers Jamf confirmed they have spotted attacks in the wild using ClickFix, an attack method in which the victim is presented with a fake problem, and at the same time, presented with a fix. It is an evolution of the old “You have a virus” popup that dominated the internet in the early 2000’s.
Jamf says ‘DPRK-aligned operators’ from the FlexibleFerret malware family have been creating fake companies, fake LinkedIn profiles and, most importantly – fake job ads, as part of a wider campaign called Contagious Interview.
Curl commands and fake fixes
Victims, mostly software developers, would either discover these websites and job ads by themselves, or would be invited for interviews via LinkedIn.
After jumping through multiple loops, the victims would then be asked to record a video of themselves through the employer’s platform, but if they would try to do so, the platform would tell them that their camera isn’t working properly.
They would then be presented with a fix – a curl command to be entered into Terminal – which doesn’t fix the problem but rather introduces malware to the system.
This malware, essentially a backdoor, does a couple of things – generates a short machine identifier, checks for duplicates, and then pulls additional commands from a hard-coded command server.
Those commands include collecting system information, uploading or downloading files, executing shell commands, pulling Chrome profile data, or triggering an automated credential theft.
“Organizations should treat unsolicited ‘interview’ assessments and Terminal-based ‘fix’ instructions as high-risk, and ensure users know to stop and report these prompts rather than follow them,” the researchers concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
