{"id":101233,"date":"2024-07-25T08:49:59","date_gmt":"2024-07-25T15:49:59","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=101233"},"modified":"2024-12-07T00:21:13","modified_gmt":"2024-12-07T08:21:13","slug":"beavertail-and-invisibleferret-malware-target-job-seeking-mac-users","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/","title":{"rendered":"BeaverTail and InvisibleFerret malware target job-seeking Mac users"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-101201\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-600x300-1.jpg\" alt=\"OSX\/BeaverTail and OSX\/InvisibleFerret macOS Mac malware\" width=\"600\" height=\"300\" \/><\/p>\n<p>On July 15, MalwareHunterTeam (MHT) <a href=\"https:\/\/x.com\/malwrhunterteam\/status\/1812792291876119034\" target=\"_blank\" rel=\"noopener\">posted a thread on X<\/a> about a fake videoconferencing app for Mac. The malware apparently targeted Mac users via unsolicited LinkedIn messages about job opportunities.<\/p>\n<p>Let&#8217;s take a brief look at what the malware does and how it was distributed.<\/p>\n<h3>What do BeaverTail and InvisibleFerret malware do?<\/h3>\n<p>MalwareHunterTeam noted that the Trojan horse was fully undetected (&#8220;FUD&#8221;) by antivirus engines on VirusTotal as of that date. While this malware poses as an existing piece of software, it&#8217;s actually a malicious Trojan horse.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Interesting, FUD on VT, &quot;MiroTalk.dmg&quot;: 9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c<br \/>Payload \/ next stages are coming from 95.164.17[.]24:1224 (Stark AS 44477).<br \/>From a quick look, the next stages includes stealing from browsers, keylogging, installing AnyDesk,\u2026 <a href=\"https:\/\/t.co\/YRIMLPl5r8\">pic.twitter.com\/YRIMLPl5r8<\/a><\/p>\n<p>&mdash; MalwareHunterTeam (@malwrhunterteam) <a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/1812792291876119034?ref_src=twsrc%5Etfw\">July 15, 2024<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Several hours later, malware analyst Patrick Wardle published his own initial <a href=\"https:\/\/objective-see.org\/blog\/blog_0x7A.html\" target=\"_blank\" rel=\"noopener nofollow\">assessment<\/a> of the malware. Evidently, it&#8217;s a macOS-native port of <strong>BeaverTail<\/strong> (JavaScript-based stealer and dropper malware). It is distributed along with <strong>InvisibleFerret<\/strong> (Python-based backdoor malware). Unit 42 published a <a href=\"https:\/\/unit42.paloaltonetworks.com\/two-campaigns-by-north-korea-bad-actors-target-job-hunters\/\" target=\"_blank\" rel=\"noopener nofollow\">report<\/a> about earlier versions of these families, then without a native Mac app, late last year.<\/p>\n<p>The Trojan apparently checks for various cryptocurrency-related extensions in, and extracts data from: Google Chrome, Brave, and Opera browsers. It also targets the macOS login keychain database. After surreptitiously collecting sensitive data from an infected Mac, the malware exfiltrates this data to an attacker-controlled server.<\/p>\n<p>Malware researcher Jaromir Horejsi <a href=\"https:\/\/x.com\/JaromirHorejsi\/status\/1812853743282479200\" target=\"_blank\" rel=\"noopener\">noted<\/a> that the Mac port of this malware seems sloppy; it includes references to a Windows .exe application.<\/p>\n<h3>How the malware spread: fake job opportunities<\/h3>\n<p>As MalwareHunterTeam <a href=\"https:\/\/x.com\/malwrhunterteam\/status\/1812796022835323213\" target=\"_blank\" rel=\"noopener\">observed<\/a> in its thread, looking up the malware&#8217;s phone-home IP address reveals that it has already been used for more than a month. A previous victim <a href=\"https:\/\/www.reddit.com\/r\/webdev\/comments\/1ddpmiz\/beware_of_scammers\/\" target=\"_blank\" rel=\"noopener\">posted on Reddit<\/a> on June 11 about how a scammer had tried to infect them:<\/p>\n<blockquote><p>Someone messaged me on LinkedIn, asking me if I had any experience with web3. \u2026<\/p>\n<p>They asked me to move the conversation to Telegram (\ud83d\udea9). I accepted. On Telegram, they sent me the link to a GitHub repo. The repository was public, but with few commits and 0 stars. \u2026<\/p>\n<p>I guess that script would have tried to steal my cookies, crypto if I had any, it&#8217;s definitely something malicious. I reported the user on LinkedIn and the repository. Hope they will take action soon.<\/p>\n<p>Stay safe and don&#8217;t execute code from strangers!!<\/p><\/blockquote>\n<p>The GitHub repository was since removed.<\/p>\n<p>As Wardle points out in his write-up, &#8220;It\u2019s common for DPRK [North Korean] hackers to target their victims by posing as job hunters.&#8221; We&#8217;ve certainly seen similar attacks before; we <a href=\"https:\/\/www.intego.com\/mac-security-blog\/supply-chain-attacks-garage-doors-and-exploding-usb-drives-intego-mac-podcast-episode-286\/#:~:text=Job%20recruitment%20scam%20tricks%20applicants%20into%20downloading%20malware.\">discussed<\/a> on the April 6, 2023 episode of the <a href=\"https:\/\/podcast.intego.com\/\">Intego Mac Podcast<\/a> about how North Korean threat actors were even targeting cybersecurity researchers. Similar campaigns have been ongoing for at least the past three years, if not longer.<a name=\"staysafe\"><\/a><\/p>\n<h3>How can I keep my Mac safe from similar malware?<\/h3>\n<p>If you use Intego VirusBarrier, you&#8217;re already protected from this malware. Intego detects these samples as <strong>OSX\/Nukesped<\/strong>, <strong>OSX\/Stealer<\/strong>, <strong>virus\/OSX\/AVF.Agent.dean<\/strong>, and similar names.<\/p>\n<p><img loading=\"lazy\" class=\"alignright size-medium wp-image-54214\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\" alt=\"Intego X9 software boxes\" width=\"200\" height=\"100\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-150x75.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch.png 600w\" sizes=\"(max-width: 200px) 100vw, 200px\" \/>Intego VirusBarrier X9, included with <strong><a href=\"https:\/\/offer.intego.com\/BlogMACAV_lbmxlkchf\">Intego&#8217;s Mac Premium Bundle X9<\/a><\/strong>, is a powerful solution designed to protect against, detect, and eliminate Mac malware.<\/p>\n<p>If you believe your Mac may be infected, or to prevent future infections, it&#8217;s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes <a href=\"https:\/\/www.intego.com\/mac-security-blog\/why-your-antivirus-needs-real-time-scanning\/\">real-time protection<\/a>. It runs natively on both Intel- and Apple silicon-based Macs, and it&#8217;s compatible with Apple&#8217;s current Mac operating system, macOS Sonoma.<\/p>\n<p>One of VirusBarrier&#8217;s unique features is that it can <a href=\"https:\/\/support.intego.com\/hc\/en-us\/articles\/207114798-VirusBarrier-X9-How-to-Scan-iPhone-iPad-and-iPod-Touch\">scan for malicious files on an iPhone, iPad, or iPod touch<\/a> in user-accessible areas of the device. Just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.<\/p>\n<p>If you use a Windows PC, <a href=\"https:\/\/www.intego.com\/lp\/route-podcast-intego\/?channel=Podcast_Intego&amp;lpx=buy\"><strong>Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from malware.<a name=\"iocs\"><\/a><\/p>\n<h3>Indicators of compromise (IOCs)<\/h3>\n<p>Following are SHA-256 hashes of malware samples from this campaign:<\/p>\n<pre>10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59\r\n9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c\r\nf08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7<\/pre>\n<p>This malware campaign leverages the following domain and IP address:<\/p>\n<pre>mirotalk[.]net\r\n95.164.17[.]24<\/pre>\n<p>Network administrators can check logs to try to identify whether any computers may have attempted to contact this domain or IP in recent weeks, which could indicate a possible infection.<a name=\"other-names\"><\/a><\/p>\n<h3>Do security vendors detect this by any other names?<\/h3>\n<p>Other antivirus vendors&#8217; names for this malware may include variations of the following:<\/p>\n<p><span style=\"font-size: small;\">DMG\/ABTrojan.TCFF-, HEUR:Trojan-PSW.OSX.BeaverTail.a, MacOS:Stealer-AS [Trj], MacOS\/ABTrojan.AJWE-, Malware.OSX\/AVF.Agent.deane, Malware.OSX\/GM.Stealer.DP, Osx.Trojan-QQPass.QQRob.Edhl, Osx.Trojan-QQPass.QQRob.Pnkl, OSX.Trojan.Gen, OSX\/AVF.Agent.deane, OSX\/GM.Stealer.DP, OSX\/InfoStl-DO, OSX\/NukeSped.AN, Python:Nukesped-E [Trj], Python:Nukesped-F [Drp], TROJ_FRS.0NA104GH24, TROJ_FRS.VSNTGH24, Trojan-Spy.OSX.BeaverTail, Trojan-Spy.Python.Agent, Trojan:MacOS\/BeaverTail!MTB, Trojan:MacOS\/Multiverze, Trojan:Python\/NukeSped.E, Trojan:Python\/NukeSped.G, Trojan.Generic.36558217 (B), Trojan.Generic.D461A7BC, Trojan.GenericKD.73508796 (B), Trojan.OSX.BeaverTail.i!c, Trojan.OSX.Nukesped.i!c, Trojan[stealer]:MacOS\/NukeSped.AT, Trojan\/OSX.Agent.20784310, Trojan\/OSX.Agent.770832, UDS:Trojan-PSW.OSX.BeaverTail.a<\/span><a name=\"learnmore\"><\/a><\/p>\n<h3>How can I learn more?<\/h3>\n<p>We briefly discussed this malware on <a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-a-crowdstrike-update-affected-mission-critical-systems-around-the-world-intego-mac-podcast-episode-354\/\">episode 354<\/a> of the Intego Mac Podcast:<\/p>\n<p><iframe style=\"width: 100%; max-width: 660px; overflow: hidden; border-radius: 10px;\" src=\"https:\/\/embed.podcasts.apple.com\/us\/podcast\/episode-354-how-a-crowdstrike-update-affected\/id1293834627?i=1000663298417\" height=\"175\" frameborder=\"0\" sandbox=\"allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation\"><\/iframe><\/p>\n<p>For a deeper technical analysis of the malware, you can read Patrick Wardle&#8217;s <a href=\"https:\/\/objective-see.org\/blog\/blog_0x7A.html\" target=\"_blank\" rel=\"noopener nofollow\">write-up<\/a>. You can also read previous research into similar campaigns, written up by <a href=\"https:\/\/unit42.paloaltonetworks.com\/two-campaigns-by-north-korea-bad-actors-target-job-hunters\/\" target=\"_blank\" rel=\"noopener nofollow\">Unit42<\/a> and by <a href=\"https:\/\/www.securonix.com\/blog\/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors\/\" target=\"_blank\" rel=\"noopener nofollow\">D. Iuzvyk, T. Peck, and O.Kolesnikov<\/a>.<\/p>\n<p><a href=\"https:\/\/podcast.intego.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img class=\"alignleft\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\" alt=\"\" width=\"80\" \/><\/a><\/p>\n<p>Each week on the <a href=\"https:\/\/podcast.intego.com\/\" target=\"_blank\" rel=\"noopener\"><strong>Intego Mac Podcast<\/strong><\/a>, Intego&#8217;s Mac security experts discuss the latest Apple news, security, and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" rel=\"noopener\"><strong>follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n<p>You can also subscribe to our <a href=\"https:\/\/www.intego.com\/mac-security-blog\/mac-security-newsletter\/\"><strong>e-mail newsletter<\/strong><\/a> and keep an eye here on <a href=\"https:\/\/www.intego.com\/mac-security-blog\"><strong>The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don&#8217;t forget to follow Intego on your favorite social media channels: <a href=\"https:\/\/twitter.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on \ud835\udd4f\/Twitter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/X-Twitter-logo-icon-225.gif\" alt=\"Follow Intego on X\/Twitter\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Facebook\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Facebook-logo-icon-225.gif\" alt=\"Follow Intego on Facebook\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on YouTube\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/YouTube-logo-icon-225.png\" alt=\"Follow Intego on YouTube\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.pinterest.com\/intego\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on Pinterest\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Pinterest-logo-icon-225.png\" alt=\"Follow Intego on Pinterest\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on LinkedIn\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/LinkedIn-logo-icon-225.gif\" alt=\"Follow Intego on LinkedIn\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Instagram\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Instagram-logo-icon-225.gif\" alt=\"Follow Intego on Instagram\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow the Intego Mac Podcast on Apple Podcasts\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" alt=\"Follow the Intego Mac Podcast on Apple Podcasts\" width=\"16\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>BeaverTail malware, paired with InvisibleFerret, has recently been used in targeted attacks against Mac users who may be open to job opportunities. Learn more about how to avoid getting tricked into running this backdoor stealer malware onto your Mac.<\/p>\n","protected":false},"author":14,"featured_media":101202,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[86,4722,3364],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"BeaverTail malware, paired with InvisibleFerret, has recently been used in targeted attacks against Mac users who may be open to job opportunities. Learn more about how to avoid getting tricked into running this backdoor stealer malware onto your Mac.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BeaverTail and InvisibleFerret malware target job-seeking Mac users - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"BeaverTail malware, paired with InvisibleFerret, has recently been used in targeted attacks against Mac users who may be open to job opportunities. Learn more about how to avoid getting tricked into running this backdoor stealer malware onto your Mac.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-25T15:49:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-12-07T08:21:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg\",\"width\":400,\"height\":260,\"caption\":\"OSX\/BeaverTail and OSX\/InvisibleFerret macOS Mac malware\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/\",\"name\":\"BeaverTail and InvisibleFerret malware target job-seeking Mac users - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#primaryimage\"},\"datePublished\":\"2024-07-25T15:49:59+00:00\",\"dateModified\":\"2024-12-07T08:21:13+00:00\",\"description\":\"BeaverTail malware, paired with InvisibleFerret, has recently been used in targeted attacks against Mac users who may be open to job opportunities. Learn more about how to avoid getting tricked into running this backdoor stealer malware onto your Mac.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BeaverTail and InvisibleFerret malware target job-seeking Mac users\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"BeaverTail and InvisibleFerret malware target job-seeking Mac users\",\"datePublished\":\"2024-07-25T15:49:59+00:00\",\"dateModified\":\"2024-12-07T08:21:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#webpage\"},\"wordCount\":946,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg\",\"keywords\":[\"Malware\",\"Stealer Malware\",\"Telegram Messenger\"],\"articleSection\":[\"Malware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"BeaverTail malware, paired with InvisibleFerret, has recently been used in targeted attacks against Mac users who may be open to job opportunities. Learn more about how to avoid getting tricked into running this backdoor stealer malware onto your Mac.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/","og_locale":"en_US","og_type":"article","og_title":"BeaverTail and InvisibleFerret malware target job-seeking Mac users - The Mac Security Blog","og_description":"BeaverTail malware, paired with InvisibleFerret, has recently been used in targeted attacks against Mac users who may be open to job opportunities. Learn more about how to avoid getting tricked into running this backdoor stealer malware onto your Mac.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2024-07-25T15:49:59+00:00","article_modified_time":"2024-12-07T08:21:13+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg","width":400,"height":260,"caption":"OSX\/BeaverTail and OSX\/InvisibleFerret macOS Mac malware"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/","name":"BeaverTail and InvisibleFerret malware target job-seeking Mac users - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#primaryimage"},"datePublished":"2024-07-25T15:49:59+00:00","dateModified":"2024-12-07T08:21:13+00:00","description":"BeaverTail malware, paired with InvisibleFerret, has recently been used in targeted attacks against Mac users who may be open to job opportunities. Learn more about how to avoid getting tricked into running this backdoor stealer malware onto your Mac.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"BeaverTail and InvisibleFerret malware target job-seeking Mac users"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"BeaverTail and InvisibleFerret malware target job-seeking Mac users","datePublished":"2024-07-25T15:49:59+00:00","dateModified":"2024-12-07T08:21:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#webpage"},"wordCount":946,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg","keywords":["Malware","Stealer Malware","Telegram Messenger"],"articleSection":["Malware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/beavertail-and-invisibleferret-malware-target-job-seeking-mac-users\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/07\/BeaverTail-and-InvisibleFerret-macOS-Mac-malware-400x260-1.jpg","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-qkN","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/101233"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=101233"}],"version-history":[{"count":18,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/101233\/revisions"}],"predecessor-version":[{"id":101268,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/101233\/revisions\/101268"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/101202"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=101233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=101233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=101233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}