Poseidon Mac Stealer Spreads via Google Ads

By|
Admin
|
2024-07-01
|
Malware Attack

On June 24, a new campaign was identified that targets Mac users through malicious Google ads for the Arc browser. This marks the second instance in recent months where Arc has been exploited as bait, indicating its rising popularity. Previously, Arc was used to deploy a Windows RAT, also via Google ads.

The macOS stealer in this campaign is being developed as a competitor to Atomic Stealer, sharing much of its codebase. Previously tracked by Malwarebytes as OSX.RodStealer due to its creator, Rodrigo4, the stealer has been rebranded as 'Poseidon' and now includes features such as looting VPN configurations.

 

Campaign Overview

  • Advertisement and Distribution: The new Poseidon campaign was advertised on cybercrime forums and distributed through malvertising. An ad for the Arc browser, created by 'Coles & Co', redirected users to a fake site offering Arc for Mac. The downloaded DMG file mimicked a legitimate Mac application, with a right-click trick to bypass security protections.

  • Features and Development: The Poseidon stealer, still under development, retains many functionalities of Atomic Stealer, including a file grabber, crypto wallet extractor, and password manager stealer. Recently, it added the ability to steal VPN configurations from Fortinet and OpenVPN.

  • Threat Actor: Rodrigo4, active on the XSS underground forum, has been promoting the new Poseidon project. The stealer is designed with a malware panel offering statistics and a builder for customization.

Implications and Protection

The emergence of the Poseidon stealer highlights the active development of Mac malware focused on stealing sensitive information. The campaign's use of Google ads for distribution underscores the importance of vigilance when downloading new applications.

Malwarebytes continues to detect this threat as OSX.RodStealer and has shared details about the malicious ad with Google. Users are advised to use web protection tools like Malwarebytes Browser Guard to block ads and malicious websites effectively.

 

Conclusion

The Poseidon Mac stealer represents a significant threat to Mac users, leveraging popular software as a lure and employing sophisticated methods to bypass security measures. Staying informed and protected is crucial to prevent falling victim to such malware.

For further details and protection advice, visit the Malwarebytes blog and ensure your security software is up to date.