Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

Cybercriminals exploit ARC popularity to spread Poseidon Malware : Mac users are the target!

Raffaela Crisci : 1 July 2024 16:37

In teh last months Mac users have been targeted by a new wave of cyberattack trough malvertising campaigns. The last threat, called “Poseidon” by their creators, has been revealed this 24th June and exploits Google ADV to spread the infostealer. A recent MalwareBytes Lab’s report described this campaign as teh second attempt to use Arc browser as bait thanks to its growing popularity.

MALWARE DETAILS

Poseidon is a MacOS malware in active development, designed to compete with Atomic Stealer (AMOS). This specific infostealer shares a good number of AMOS’s functionality like exfiltration methods, crypto wallet and password stealing from softwares like Bitwarden and KeePassXC. Initialilly identified as OSX.RodStealer by MalwareBytes has been renamed by its author Rodrigo4 and improvd with new capabilities like VPN configurations exfiltration.

Rodrigo4 creates a malware’s service which include a control panel with statistics and costum builder that permits to costumize icons, malware name and AppleScript. Poseidon offers a good range of advanced functionality that makes it a significative threat. In cybercrime forums Poseidon is described as a direct competitor of Atomic Stealer.

Sei un Esperto di Formazione?
Entra anche tu nel Partner program!
Accedi alla sezione riservata ai Creator sulla nostra Academy e scopri i vantaggi riservati ai membri del Partner program.
Per ulteriori informazioni, scrivici ad [email protected] oppure su Whatsapp al 379 163 8765 

Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo

The malvertising campaign that spread the infostealer is made through Google ADV in order to redirect users to fake download sites (like arc-download[.]com). This websites mimic official Arc website.

The users, fooled by legitimate appearance, download a malicious DMG that circumnavigate MacOS security measure requesting a single right-click to install rather than the traditional double-left click. Once installed, Poseidon start to capture and send sensitive data to a remote server, a known IP address is 79.137.192.4. This address host the control panel where exfiltrated data can be managed and used by criminals.

SECURITY OBSERVATIONS

Poseidon breakthrough, subsequent to a similar campaign affecting a fake version of Arc for Windows OS, highlights a growing expertise by digital threats. This malware is well designed to steal as much data as possible and every Mac user should consider this as serious threat.

Recent developments showed that Poseidon is not the last threat for Apple ecosystem, a growing interest has been made by LockBit RaaS on Apple architectures, like M1 and M2. Professionals are worried about MacOS endpoints safety even if analyzed samples proved that threat are in development phase. MacOS malware are still incomplete (eg:/ Apple signing missing, basilar strings encryption) but this variants would permit to APT like LockBit to maintain their criminal market share highly competitive.

The current scenario shows how threats are diversifying their objectives, emphasizing crucial attention to adopt appropiate safety measures and be aware on every OS or device we are using.

CONCLUSIONS

This malware and its campaign demonstrates how cyber-criminals are exploiting new software’s popularity to spread their attacks on a wider range of users. Despite Google efforts on protect their ADV platform from malicious use, lawbreakers keep orchestrating fake websites successfully. MalwareBytes strongly suggests to use adblockers, advanced web protections and continously cautiousness when downloading new applications.

IOCs

186.2.171.60
agov-ch[.]com
agov-access[.]net
agov-access[.]com
register-agov[.]com
agov-ch[.]net
bb8911f632a4547802a8dbb40268e1bd
  • 186.2.171.60
  • agov-ch[.]com
  • agov-access[.]net
  • agov-access[.]com
  • register-agov[.]com
  • agov-ch[.]net
  • MD5 : bb8911f632a4547802a8dbb40268e1bd

Raffaela Crisci
Member of the Dark Lab group. Computer Engineer graduated with honors from the University of Sannio, with specialization in Cyber Security. Expert in Cyber Threat Intelligence with experience in a leading multinational company. Strong discipline and organizational skills developed through sports