North Korean hackers are turning fake job interviews into a gateway for cyber espionage. SentinelOne identified new variants of the macOS malware FlexibleFerret, used in the Contagious Interview operation to lure targets with fake job interviews. Victims are tricked into downloading malicious software disguised as virtual meeting tools, allowing attackers to gain control over their systems.

Cyberespionage groups are shifting their sights to the backbone of enterprise networks. A newly discovered malware, linked to the DaggerFly APT group, is targeting Linux-based network devices instead of standard endpoints. By hijacking SSH connections and replacing system binaries, the malware ensures long-term persistence while silently extracting sensitive data.

A security flaw in AMD processors has raised concerns over hardware-based attacks. This bug could allow attackers with admin access to load malicious microcode, potentially undermining system integrity. This exploit underscores the growing risks of hardware security gaps, where even minor weaknesses can have major consequences.

Top Malware Reported in the Last 24 Hours

North Korean hackers drop macOS malware

SentinelOne found new variants of a macOS malware family, named FlexibleFerret, used by North Korean threat actors in schemes centered around fake job interviews. This malware is part of the Contagious Interview campaign. Typically, targets are directed to click a link which gives an error message and prompts them to install software like VCam or CameraAccess for virtual meetings. FlexibleFerret is particularly deceptive, as it was signed with a valid Apple Developer signature, although this signature has since been revoked. The ongoing campaign targets employers and developers on job search platforms. 

New ValleyRAT variant spreads via Chrome downloads

Morphisec has found a new version of the ValleyRAT malware, which uses advanced evasion tactics and targets computer systems. This malware is distributed through phishing emails, messaging apps, and hacked websites, focusing on high-profile individuals in finance, accounting, and sales to steal sensitive information. The new variant spreads through a fake download of a Chrome browser from a fraudulent Chinese telecom website. It uses a .NET executable to check for admin rights and download more malware components. The malware injects itself into legitimate processes to operate secretly, using names that seem normal to avoid attracting attention. 

Daggerfly-linked malware targets network appliances

A new malware called ELF/Sshdinjector.A!tr has been linked to the DaggerFly espionage group, targeting Linux-based network devices for data theft. The dropper checks for existing infections and deploys malicious files if none are found. It replaces essential binaries with infected versions to maintain access. Key features include overwriting system binaries, remote control through an altered SSH library, extracting sensitive information, executing commands from attackers, and encrypted communication. 

Top Vulnerabilities Reported in the Last 24 Hours`

AMD patches CPU bug

AMD announced patches for a vulnerability in its microprocessors that could compromise Secure Encrypted Virtualization protection, allowing attackers to load malicious microcode. This vulnerability, tracked as CVE-2024-56161, has a CVSS score of 7.2 and is due to improper signature verification in the CPU’s microcode patch loader. An attacker with local administrator access may load malicious microcode, threatening the confidentiality and integrity of systems using AMD SEV-SNP. AMD has released mitigations to block such actions, advising that users update their BIOS and reboot to enable these protections. 

Netgear patches two critical flaws

Netgear has fixed two critical security vulnerabilities in several WiFi router models and advised customers to update their devices to the latest firmware immediately. The affected models include WiFi 6 access points (WAX206, WAX214v2, WAX220) and Nighthawk Pro Gaming routers (XR1000, XR1000v2, XR500). The company noted that these vulnerabilities can be exploited by attackers for remote code execution (PSV-2023-0039) and authentication bypass (PSV-2021-0117) without user interaction. 

CISA adds four bugs to KEV catalog

The CISA added four security flaws to its KEV catalog due to evidence of active exploitation. The vulnerabilities include CVE-2024-45195 in Apache OFBiz, CVE-2024-29059 in Microsoft .NET Framework, and two in Paessler PRTG Network Monitor (CVE-2018-9276 and CVE-2018-19410). FCEB agencies have been advised to implement fixes by February 25.