Analysis Summary

A new MacOS malware, named ‘Poseidon’, is causing concern among security experts due to its ability to harvest user account credentials and VPN configurations, aiming for data theft or resale. Researchers believe this attack is the initial phase of a planned malware-for-hire service.

According to researchers, Poseidon spreads through Google ads disguised as links to download the popular Arc web browser. Clicking on the ad redirects users to a counterfeit site that offers a trojan download which, when launched, initiates the malware infection process. Researchers explained that the actual malware payload, known as OSX.RodStealer, appears to be the work of an emerging malware writer.

This writer is likely trying to create a competitor to the infamous AtomicStealer malware family. The threat actor has developed a stealer with similar features and code base as Atomic Stealer. The service includes a malware panel with statistics and a builder for custom names, icons, and AppleScript.

OSX.RodStealer offers functionalities similar to Atomic Stealer including a file grabber, crypto wallet extractor, password manager stealer (targeting Bitwarden and KeePassXC), and a browser data collector. Info-stealing trojans for MacOS are gaining popularity among cybercriminals, as they can steal not only account credentials but also crypto wallet keys, browser history, and VPN access configurations. This trend highlights the increasing threat posed by such malware to Mac users.

To protect against Poseidon and similar threats, researchers advise Mac users to be cautious about the sources of their application downloads and avoid suspicious sites or unsigned installers. Vigilance is crucial when downloading and installing new apps to stay protected. The active distribution of this new malware payload confirms the real and ongoing threat to potential victims underscoring the need for robust security practices and tools.

Impact

• Sensitive Data Theft
• Cryptocurrency Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• arcthost.org
• arc-download.com
• zestyahhdog.com

IP

• 79.137.192.4

MD5

• 02a0407bea1bea006c35c0aa178a573b

SHA-256

• c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05

SHA-1

• 707dfef59b96cdc6df074b4d913d2fd39540924e

URL

• http://79.137.192.4/p2p

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Only download apps from official app stores (Google Play Store and Apple App Store) and avoid third-party app sources.
• Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
• Never trust or open links and attachments received from unknown sources/senders.
• Encourage individuals to report any suspicious activities, emails, or messages to relevant authorities, organizations, or cybersecurity experts.
• Verify the authenticity of websites, social media profiles, and apps before providing personal information or engaging with them.
• Implement strong, multi-factor authentication (MFA) for email accounts, social media profiles, and other sensitive online services.
• Keep all software and operating systems up to date with the latest security patches to minimize vulnerabilities.
• Employ robust network security measures, including firewalls and intrusion detection systems, to detect and block malicious network traffic.
• Develop and maintain an incident response plan that outlines steps to take in case of a security breach. Ensure that individuals and organizations know how to respond effectively.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using a multi-layered protection is necessary to secure vulnerable assets.